Friday
1)
Using guest-isid solely for WoL does not seem to be possible when dynamic VLAN assignment is used.
We can configure a 802.1x enabled port with "eapol traffic-control in" which means that ingress traffic will be denied before (successful) authentication takes place.
Now traffic-control limitation does not seem to work in a network with dynamic VLAN assignment, as you have to use either the default port-based VLAN or Guest VLAN to egress the control traffic (WoL). (A silent device = device waiting for WoL does not have a VLAN assigned in dynamic vlan assignment scenario)
I find that rejected clients can talk to each other in guest i-sid. However we just need a way for WoL to work, we don't want rejected devices to actually be able to use the network.
2)
Using mac-based sessions on a port with a) one MAC (auth success) assigned to a prod VLAN and b) another MAC (auth rejected) assigned to guest-isid. (both on the same port)
Now if IP ranges inside both VLANs/i-sids agree, both can talk to each other (Prod to Guest and Guest to Prod). The latter is the main problem.
How to secure all of this?