Apple Authentication with NAC and Policy

  • 0
  • 3
  • Question
  • Updated 2 years ago
  • Answered
We have deployed a V2110 controller with NAC at a client.

When users connect to the client's SSID they are placed in a Unregistered Vlan that only allows Access to the NAC using Policy Based routing.

When the client finished with the registration process the either the "Web authenticated" policy or the "Registred Guest" policy applies to the user.

Both these Policies apply a "Bridge @ AP" topology.
The result is that once the user registered and the new policy is applied the user would be placed in the the untagged vlan at the AP.

For Andriod and Windows devices this process works fine.
The client connects initially and the unregistered policy and Vlan is applied, the client is redirected to the NAC portal and completes registration.
Once registration is completed the new policy is applied, either the "Web Auth" policy to the "Registered Guest" policy.
The Andriod and Windows devices automatically releases and renew's their IP's.

With the Apples devices (Both MAC and Iphones) receives the new policy but never renews the IP address. Only a manual disconnect and reconnect updates the IP.
It would seem that the Apple devices ignores the "DHCP release/Renew" instruction that is sent to it.

Any idea why?

Thx
Andre
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,288 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 3
Photo of Craig Guilmette

Craig Guilmette, Employee

  • 2,752 Points 2k badge 2x thumb
Hello Andre
There is no DHCP release/renew sent. It is simply the Windows and Droid devices work better to realize their topology has changed and they cant reach their default gateway and because of that they ask for a new IP. Plus the fact that Apple clients always ask for the longest time lease when they request a dhcp address. They sit with the old address as assume it is still good. In the GTAC we have worked around this by setting the dhcp server lease for the unregistered role/topology/vlan to 20 seconds for min and max when the controller is doing the dhcp. If you are using a windows DHCP server I believe the lowest you can set the lease time for is 1 minute but at least within 30 seconds (1/2 the lease time) the Apple client will ask for a new IP. If you can use a linux DHCP server or our controller we have found the 20 second lease to be perfect.

Good Luck
Craig Guilmette┬á´╗┐
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,288 Points 5k badge 2x thumb
Great thx Craig