I did research through Internet/Forums/KB but not find answers to my few question with UAC deployment:
The main one is: Is it possible to have remediation server on a different VLAN than remediation VLAN??
I realize this might seem a little strange but due to certain circumstances it's not possilble to actually have the remdiation server in the remediation vlan.
To clearify a little, here's the scenario:
I have PC with Odissey client installed and host-checker enabled. When host check fails, UAC set the port on the switch to remediation vlan (VLAN-ID 33) - as it should.
When I open cmd and check ip configuration (type in cmd ipconfig) I see the next situation:
ip address 192.168.33.x
subnet mask 255.255.255.0
default-gateway 22.214.171.124 as you can see an ip address for vlan 33 is delivered from the dchp server but it looks like either odyssey or the host checker overide the default gateway recieved from the dhcp and set the dgw to the dgw on the vlan where the IC sits.. [dgw on dchp scope is set and verified to be 192.168.33.254)
My remediation server is in part of Virtual-Machine that is on vlan 130 with IP address 126.96.36.199 in Corporate-network (VLAN-ID 130). This means it is not accessible in layer 2 for the end-user pc in the remediation vlan so the fact that it doesn't recieve a valid dgw setting is preventing the end-user machine from reaching the remediation server..
I would like to have the end-user machine be able to access vlan 130 via layer3 (will add later an access list permitting access to remediation server ip only).
1. Could you please try and explain why we are seeing the default gateway being (apparently) overridden by the host-checker or odyssey and if this expected behavior?
2. if this is expected behavior - can i change it so that my end-user will be able to see the remediation vlan via layer3?
If it's absoultly neccesary we will install a separate remediation server inside the vlan - but we would rather avoid it if possible at this stage.
Thanks in advance sorry for my english igal-igor
If you place a PC in VLAN33 without any 802.1x, does it receive an valid default gateway? OAC should not keep the default gateway for another VLAN. Only thing I can think of is that the DHCP server is not configured to send the default gateway/router DHCP option for VLAN33.
So OAC / Host checker doesn't do DHCP.
What happens is that when you fail a host check, this triggers OAC to do a re-auth. This reauth now re-evaluates your roles and your radius attribute policies and can thus pass back a different vlan tag to the switch.
After that point, OAC sends a notification to windows called a media connect. This is the same thing that happens in windows as when you are plugging in a network cable. Windows then sends out a dhcp request to your DHCp server. The server would retrun a certain set of DHCP options, one of which should be the default gateway.
As far as a remediation server being on a different network, that's all going to be a matter of networking. If the server is route-able from the remediation network, then the PC will be able to reach it. The trick is to make sure that the IC is reachable from the remediation network. If not, then host check will never run again except at the next auth interval or if you manual tell OAC to reconnect to the network. Host check runs at the initial 802.1x auth, but needs to be able to reach the IC in order to perform checks at the regular intervals or for "notify me of a change" settings to work.
My guess would be that either you've got static information entered on the PC, or your DHCP server is passing back odd options. You should be able to install wireshark or something to check to see if your DHCP server is returning the wrong gateway.