You can let wireless do DHCP too. So for your non-auth network you may be able to reduce the DHCP time further. I haven't looked.
However, why have different VLANs? With policy you can control what they can connect to when they have a non-auth policy. The non-auth policy can have a default action of deny and then you only allow what is needed, i.e. DHCP, DNS, and access to the web portal. Then, once they auth, they get the gold and have a policy with a default action of allow and then you just deny what you don't want them to access all while on the same VLAN. Do you have Netsight, Policy and NAC? You can really get groovy if you have that. John On Wed, Mar 5, 2014 at 7:36 PM, Nick Allen <[email protected]> wrote: > Hi Jörg, > > Thanks for this that's a great help. > > Will try reducing the DHCP lease time tomorrow and see if that sorts it > but I see the minimum lease time is 1 minute (MS Windows 2012) so that may > still be too long. > > re. the fallthru auth - I hadn't seen that - certainly looks like that > will work. > > Thanks, > > Nick. > > > On Wed, Mar 5, 2014 at 9:04 PM, Joerg Mayer <[email protected]> wrote: > >> Hello Nick, >> >> On Wed, Mar 05, 2014 at 06:47:51PM +0000, Nick Allen wrote: >> > If we have a VNS which has an unauthenticated role which uses a >> topology in >> > one vlan and an authenticated role which uses a topology in another >> vlan, >> > how is DHCP handled by the client? >> > >> > Just had it now where when I authenticated to the internal captive >> portal, >> > the client didn't release/renew DHCP after successful authentication, so >> > although i was successfully auth'd by the captive portal and the >> controller >> > (reports / view active clients) showed I'm on the correct role/topology, >> > the IP on my Mac was still showing as the IP I had in the >> unauthenticated >> > topology. On my mac, when I manually renewed the IP, it worked. >> >> This is from the current (8.32.4.6) release notes: >> Note: When the DHCP lease time is long the VNS is configured such that >> the DHCP IP >> address changes upon authentication, i.e. topology changes, some clients >> may not renew >> their IP address in an "acceptable" time to the authenticated/new IP >> address. In these >> instances the DHCP lease time for the un-authenticated topology should be >> reduced. Or >> manually renew the DHCP leasing again. >> >> > On another note, is it possible to do fall-thru authentication (for our >> > visitors)? >> > >> > ie. Is it possible to have a single VNS (and therefore just one SSID) >> which >> > will attempt to auth against RADIUS using mac address first (for regular >> > visitors who we trust) and if that fails, then it'll dump them to the >> > captive portal, which then if they auth correctly they will get access? >> Or >> > must I use two VNS's and therefore 2 SSID's to achieve this? >> >> >From the 8.32.xxx User Guide: >> Note: Both MAC-based Authorization settings work together so that a >> station can be >> allowed onto a WLAN Service if it passes MAC-based authentication or >> Captive Portal >> authentication. Owners of known stations do not have to enter credentials >> and owners >> of unknown stations can get onto the network, if authorized, via Captive >> Portal. >> >> Ciao >> Jörg >> -- >> Joerg Mayer <[email protected]> >> We are stuck with technology when what we really want is just stuff that >> works. Some say that should read Microsoft instead of technology. >> >> --- >> To unsubscribe from enterasys, send email to [email protected] with the >> body: unsubscribe enterasys [email protected] >> > > -- > This e-mail is intended only for the named person or entity to which it is > addressed and > contains valuable business information that is proprietary, privileged, > confidential and/or > otherwise protected from disclosure. If you received this e-mail in error, > any review, use, > dissemination, distribution or copying of this e-mail is strictly prohibited. > Please notify > us immediately of the error via e-mail to [email protected] and > please delete > the e-mail from your system, retaining no copies in any media. We appreciate > your cooperation. > > > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > -- John Kaftan IT Infrastructure Manager Utica College --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
