Security

Hello All

In an environment where all NADs are remotely connected to a centralised CPPM deployment with statically addressed endpoints (no DHCP), how defining a critical VLAN will help during NAC failure?

Could you please help me review/any reference for static IP environment? How this is different in an DHCP environment with default VLAN?

Hello All

In an environment where all NADs are remotely connected to a centralised CPPM deployment with statically addressed endpoints (no DHCP), how defining a critical VLAN will help during NAC failure?

Could you please help me review/any reference for static IP environment? How this is different in an DHCP environment with default VLAN?

Normally when you add a critical VLAN it's another VLAN than your normal VLAN just to give the clients some form of access, often just internet access.

If the clients have static IP addresses they will of course not work on this other VLAN.

Configure the critical VLAN to the same as your client VLAN isn't a good idea, as this would provide a bypass option for the authentication to the network.

If you are using downloadable user roles you can configure cached-reauth. This feature will assign the same role as during the last successful authentication if the RADIUS server is unavailable during reauthentication. This will not solve a scenario with a new client trying to connect during an outage.

aaa authentication port-access dot1x authenticator cached-reauth
aaa authentication port-access dot1x authenticator cached-reauth-period <PERIOD>

aaa authentication port-access mac-auth cached-reauth
aaa authentication port-access mac-auth cached-reauth-period <PERIOD>

Hello All

In an environment where all NADs are remotely connected to a centralised CPPM deployment with statically addressed endpoints (no DHCP), how defining a critical VLAN will help during NAC failure?

Could you please help me review/any reference for static IP environment? How this is different in an DHCP environment with default VLAN?