topic Assign IP address to guest users in the switch by ISE in Network Access Control

Assign IP address to guest users in the switch by ISE

ricardo.preto — Mon, 11 Mar 2019 03:54:53 GMT

There is a situation that I need assign ip address to guest users in the switch by ISE. Is this possible? If yes, How Can I do this?

Thanks.

Assign IP address to guest users in the switch by ISE

Peter Koltl — Wed, 18 Sep 2013 15:29:50 GMT

Why?

Assign IP address to guest users in the switch by ISE

ricardo.preto — Wed, 18 Sep 2013 15:58:10 GMT

Hello Peter.

My customer does not have wireless network and he did not want to work with DVLAN because the problem with renew ip address when occur the change of the VLAN. He will go to work with DACL in authorization profile.

The problem occurs with users guest, as they will be in the same network as corporate users, so there is no way to create a specific rule allowing access to the internet in the firewall ASA for guest users only.

As my customer receives few guests if I could assign IP address via ISE for guest users maybe I could use DVLAN for this specific case.

The customer does not want to use supplicant anyconnect.

Best Regards

Ricardo.

Assign IP address to guest users in the switch by ISE

Peter Koltl — Wed, 18 Sep 2013 17:19:35 GMT

Create a dACL on ISE that prevents guests from accessing the company network but allows them to use the Internet.

Assign IP address to guest users in the switch by ISE

ricardo.preto — Wed, 18 Sep 2013 17:38:22 GMT

I had suggested this to my customer but he did not want to leave the output open Internet to the corporate network in the firewall. I explained to him that the firewall rules that control the output of the Internet to the corporate network could be applied via DACL and so could leave the output released in firewall for internet for the whole corporate network.

Assign IP address to guest users in the switch by ISE

aqjaved — Fri, 20 Sep 2013 10:23:15 GMT

Please check the below links which can helpful for you:

Link-1:

http://webcache.googleusercontent.com/search?hl=en-GB&q=cache:ntFyDVyka18J:http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_sw_cnfg.html%2BAssign+IP+address+to+guest+users+in+the+switch+by+ISE&gbv=2&ct=clnk

Link-2:

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

Assign IP address to guest users in the switch by ISE

Peter Koltl — Fri, 20 Sep 2013 20:01:43 GMT

I like Link2 and I've searched for the Vlan Dhcp Release option in the user guide:

An applet downloads to perform the IP release renew operation.

Assign IP address to guest users in the switch by ISE

harvisin — Sat, 21 Sep 2013 21:25:31 GMT

Hello,

Please go through the below information which might be helpful to you:-

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

Click Administration, and then click Guest Management.
Click Settings.
Expand Guest, and then expand Multi-Portal Configuration.
Click DefaultGuestPortal or the name of a custom portal you may have created.
Click the Vlan DHCP Releasecheck box.Note: This option works only for Windows clients.

and for more information on Vlan DHCP release:-

VLAN DHCP IP Release/Renew

This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

The delay to release time should be low since it needs to occur immediately after the applet is downloaded and before the Cisco ISE server directs the NAD to re-authenticate with a CoA request. The default release value is 1 second.

The delay to CoA delays the Cisco ISE from executing the CoA. Here, enough time should be given to allow the applet to download and perform the IP release on the client. The default value is 8 seconds.

The delay to renew value is added to the IP release value and does not begin timing until the control is downloaded. The renew should be given enough time so that the CoA is allowed to process and the new VLAN access granted. The default value is 12 seconds.

Assign IP address to guest users in the switch by ISE

blenka — Sat, 28 Sep 2013 00:39:36 GMT

No I hope there is no such kind of possibility, only Vlan DHCP can be used and it’s a normal practice.

The best practice is to use ACL’s for the implementation.

Assign IP address to guest users in the switch by ISE

bikespace — Mon, 30 Sep 2013 22:43:34 GMT

Are you using 1.2?

I've not tried this yet, but the way I understood it, 1.2 allowed the CoA action to be changed based on profile policy, so you could use dynamic VLAN and choose to 'port bounce' for the guest users. The port bounce should be enough to allow DHCP to renew with new IP.

If this is not possible yet, then it should be 🙂

I'll have a look and see if that was actually added as an option. I may have dreamt it.