802.1x dynamic vlan and remote desktop
aland at deployingradius.com
Tue Dec 3 18:52:45 CET 2019
On Dec 3, 2019, at 10:16 AM, Luc Paulin <paulinster at gmail.com> wrote:
> I am currently testing 802.1x dynamic vlan. So far all work great, except
> for remote dekstop connection. Look like RDP and dynamic vlan doesn't make
> a good fit, or I may not be doing it correctly. I currently do first
> computer authentification at bootup and then once user is logging in, user
> authentication is done and switch's port move to the right vlan. Look like
> no matter which user logged in a desktop, it's the "computer account/vlan"
> that has priority over the user's account/vlan.
There is no "priority" for VLANs here. If the computer account logs in *before* the user account, then the computer account is used for VLAN assignment.
> Therefore if user was
> already logged in his system, then decide later to do an RDP session, the
> system will switch to "computers" vlan subnet, which cause
> disconnection/dns update/replication time issues.
> How do you manage remote desktop and dynamic vlan within your
> environement? Any hint/clues on how to achieve this?
Use one VLAN. Don't switch VLANs dynamically.
You can't control Windows. And WIndows will re-do 802.1X authentication when switching accounts. The only thing you do control is the RADIUS server.
So assign one VLAN, and the problem goes away.
More information about the Freeradius-Users