802.1x dynamic vlan and remote desktop

Luc Paulin paulinster at gmail.com
Tue Dec 3 19:37:02 CET 2019 

>  Use one VLAN.  Don't switch VLANs dynamically.
Agreed that this would work, However user move around frequently, therefore
would rather prefer to do assign vlan dynamically.

>  You can't control Windows.  And WIndows will re-do 802.1X authentication
when switching accounts.  The only thing you do control is the RADIUS
server.
>  So assign one VLAN, and the problem goes away.
Yes and this work very well.

Actually I am looking at maybe assigning vlan based on group membership of
a computer group.

--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster



Le mar. 3 déc. 2019, à 12 h 52, Alan DeKok <aland at deployingradius.com> a
écrit :

> On Dec 3, 2019, at 10:16 AM, Luc Paulin <paulinster at gmail.com> wrote:
> > I am currently testing 802.1x dynamic vlan. So far all work great, except
> > for remote dekstop connection. Look like RDP and dynamic vlan doesn't
> make
> > a good fit, or I may not be doing it correctly. I currently do first
> > computer authentification at bootup and then once user is logging in,
> user
> > authentication is done and switch's port move to the right vlan. Look
> like
> > no matter which user logged in a desktop, it's the "computer
> account/vlan"
> > that has priority over the user's account/vlan.
>
>   There is no "priority" for VLANs here.  If the computer account logs in
> *before* the user account, then the computer account is used for VLAN
> assignment.
>
> > Therefore if user was
> > already logged in his system, then decide later to do an RDP session, the
> > system will switch to "computers" vlan subnet, which cause
> > disconnection/dns update/replication time issues.
> >
> > How do you manage remote desktop and dynamic vlan within your
> > environement?  Any hint/clues on how to achieve this?
>
>   Use one VLAN.  Don't switch VLANs dynamically.
>
>   You can't control Windows.  And WIndows will re-do 802.1X authentication
> when switching accounts.  The only thing you do control is the RADIUS
> server.
>
>   So assign one VLAN, and the problem goes away.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list