802.1x dynamic vlan and remote desktop

Alan DeKok aland at deployingradius.com
Tue Dec 3 18:52:45 CET 2019

On Dec 3, 2019, at 10:16 AM, Luc Paulin <paulinster at gmail.com> wrote:
> I am currently testing 802.1x dynamic vlan. So far all work great, except
> for remote dekstop connection. Look like RDP and dynamic vlan doesn't make
> a good fit, or I may not be doing it correctly. I currently do first
> computer authentification at bootup and then once user is logging in, user
> authentication is done and switch's port move to the right vlan. Look like
> no matter which user logged in a desktop, it's the "computer account/vlan"
> that has priority over the user's account/vlan.

  There is no "priority" for VLANs here.  If the computer account logs in *before* the user account, then the computer account is used for VLAN assignment.

> Therefore if user was
> already logged in his system, then decide later to do an RDP session, the
> system will switch to "computers" vlan subnet, which cause
> disconnection/dns update/replication time issues.
> How do you manage remote desktop and dynamic vlan within your
> environement?  Any hint/clues on how to achieve this?

  Use one VLAN.  Don't switch VLANs dynamically.

  You can't control Windows.  And WIndows will re-do 802.1X authentication when switching accounts.  The only thing you do control is the RADIUS server.

  So assign one VLAN, and the problem goes away.

  Alan DeKok.

More information about the Freeradius-Users mailing list