In addition to company issued laptops, we have on our network many devices issued to us by our clients, used primarily to VPN back into the issuing company's network.
I want to segregate the traffic for these client devices, primarily for security reasons but also to exclude them from our inventory system --- these client devices are usually locked down tight and can't be scanned.
I am using Adtran 1638p switches, and have created VLAN 2 for our company owned devices and VLAN 3 for client devices. Here is a typical port configuration:
interface gigabit-switchport 0/1
switchport mode trunk
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3
Let's assume vlan 2 is 10.0.2.0/24 and vlan 3 is 10.0.3.0/24
I want my users to be able to plug in a laptop and end up on the correct VLAN based on whether it is a company or client laptop. All I have to work with is the MAC address. Is there any way to assign the VLAN based on the MAC address so that a company-owned device gets a 10.0.2.x address and the client-owned laptop gets a 10.0.3.x address.
I have thoroughly researched ways to make this happen at the DHCP server, and I think it just can't be done at that level because the DHCP server sees the Relay Agent address as the native VLAN address and assigns IPs accordingly.
Thanks for any help!
Check out this Microsoft Technet article. I believe it has the information you're looking for starting at the "DHCP policy based assignment demonstration" section. You should be able to capture the client devices' MAC addresses and then configure the DHCP server to only assign DHCP addresses in 10.0.3.0/24. Also, if those clients have laptops, do the same thing for their wireless MAC.
Thanks for the quick reply.
I use the heck out of the policy-based assignment rules, but they work at the scope level, allowing me to identify how IPs are distributed within that scope. I'm looking one level higher, trying to decide which scope, after which the scope-level policies apply. There are some server-level policies but I haven't been able to make them work for me.
The example above is pretty simple just to show the issue, but the reality is much more complex with many VLANs, subnets, and scopes.
Scope selection seems to rely 100% on relay agent IP address, so I thought I would try to resolve this at the switch level by directing MACs to the right VLAN and associated relay agent.
Good news. There is a new feature added in R11.13.0 firmware that will allow the a Radius server to assign the VLAN based on the MAC address or 802.1x Authentication.
Not release just yet (5/19) but days away.