Hi Jörg, Thanks for this that's a great help.
Will try reducing the DHCP lease time tomorrow and see if that sorts it but I see the minimum lease time is 1 minute (MS Windows 2012) so that may still be too long. re. the fallthru auth - I hadn't seen that - certainly looks like that will work. Thanks, Nick. On Wed, Mar 5, 2014 at 9:04 PM, Joerg Mayer <[email protected]> wrote: Hello Nick, On Wed, Mar 05, 2014 at 06:47:51PM +0000, Nick Allen wrote: > If we have a VNS which has an unauthenticated role which uses a topology in > one vlan and an authenticated role which uses a topology in another vlan, > how is DHCP handled by the client? > > Just had it now where when I authenticated to the internal captive portal, > the client didn't release/renew DHCP after successful authentication, so > although i was successfully auth'd by the captive portal and the controller > (reports / view active clients) showed I'm on the correct role/topology, > the IP on my Mac was still showing as the IP I had in the unauthenticated > topology. On my mac, when I manually renewed the IP, it worked. This is from the current (8.32.4.6) release notes: Note: When the DHCP lease time is long the VNS is configured such that the DHCP IP address changes upon authentication, i.e. topology changes, some clients may not renew their IP address in an "acceptable" time to the authenticated/new IP address. In these instances the DHCP lease time for the un-authenticated topology should be reduced. Or manually renew the DHCP leasing again. > On another note, is it possible to do fall-thru authentication (for our > visitors)? > > ie. Is it possible to have a single VNS (and therefore just one SSID) which > will attempt to auth against RADIUS using mac address first (for regular > visitors who we trust) and if that fails, then it'll dump them to the > captive portal, which then if they auth correctly they will get access? Or > must I use two VNS's and therefore 2 SSID's to achieve this? >From the 8.32.xxx User Guide: Note: Both MAC-based Authorization settings work together so that a station can be allowed onto a WLAN Service if it passes MAC-based authentication or Captive Portal authentication. Owners of known stations do not have to enter credentials and owners of unknown stations can get onto the network, if authorized, via Captive Portal. Ciao Jörg -- Joerg Mayer <[email protected]> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to [email protected] and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
