Is anyone doing extensive dynamic VLAN assignment with low-impact mode? If so, how are you getting around the issue of having a client get an IP address on the switchport configured VLAN then not releasing that address once the VLAN changes? I didn't know a way around this other than configuring closed mode...but closed mode is causing me a lot of client issues.
I believe that it is the supplicant's responsibility to determine when there has been a VLAN change on the port and refresh the IP address at that point. This should happen with standard CoA regardless of Open or Closed mode.
Are you experiencing the issue with certain clients/supplicants or supplicantless devices? If so, there are ways to fix that below.
** Note that I do not believe this works with multiple authentication sessions on a single port--you will have to use re-auth in that case.
Cisco ISE Active RADIUS Sessions
Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:
Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.
Understanding RADIUS Change of Authorization
With Cisco IOS Release 12.2(33)SXI4 and later releases, the switch can accept and execute unsolicited Change of Authorization (CoA) messages from the authentication server (AS). CoA is an extension to the RADIUS protocol that allows the AS to make dynamic and unsolicited changes to the authorization information of an active session hosted by a network access device, such as a switch. For more information about CoA, see RFC 5176.
The Catalyst 6500 series switch supports per-session and per-policy CoA commands relating to 802.1X, MAB, and web-based authentication sessions.
Using per-session CoA commands, the AS can cause the switch to terminate a session or to force a reauthentication of the session. To terminate a session, the AS can instruct the switch to perform one of the following actions:
•End the session—The AS sends a CoA Disconnect-Request (see RFC 5176), causing the switch to delete all state information about the session.
•Shut down the port—The AS sends the following VSA to force an administrative shutdown of the port:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :