topic Re: The workaround for VLAN DHCP Release in Network Access Control

The workaround for VLAN DHCP Release

shkuzu — Tue, 06 Mar 2018 12:53:56 GMT

I saw the config example for CWA with catalyst or WLC.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

According to the guide, we don't recommend IP renew method by using VLAN DHCP release.

I guess the reason is renewing address require active-x and it's not 100% sure to work.

Anyway, my customer plan to use two DHCP servers.

One is for short DHCP lease time for 1st auth, and the other have the normal DHCP lease for 2nd auth.

Can we support their way to change IP address?

Re: The workaround for VLAN DHCP Release

ognyan.totev — Tue, 06 Mar 2018 13:12:14 GMT

1st For redirection you can add Vlan ID Just tick Vlan and set the ID before created on the device .After guest successful registered and authenticated you can add other profile and change there vlan too.

Re: The workaround for VLAN DHCP Release

umahar — Wed, 23 Jan 2019 19:20:04 GMT

It's not a problem for closed mode as you can push the vlan in the redirection authorization rule as shown above.

Its an issue in low impact. The vlan dhcp release functionality works but the user experience is not good.

We have used auto smart port macro in lab on 3650 and 3750-E to achieve it.

https://communities.cisco.com/thread/81859

I know of one customer which is trying to implement it in production.

Re: The workaround for VLAN DHCP Release

hslai — Fri, 09 Mar 2018 02:45:34 GMT

Some of our customers are using short DHCP lease time and I have not heard any issue.

Re: The workaround for VLAN DHCP Release

Jason Kunst — Fri, 09 Mar 2018 03:05:58 GMT

Another recommendation would be to register the endpoints of the users into an Endpoint group and after initial Authentication Rely on a authorization rule that simply permit to access if you’re in that end point group

We call this guest remember me

Re: The workaround for VLAN DHCP Release

starvoise — Thu, 10 May 2018 02:25:40 GMT

I agree, I would skip low impact mode if vlan enforcement is needed, it make little sense anyway. Closed mode moves between vlans and dhcp renew does work without issues.

Re: The workaround for VLAN DHCP Release

grant.maynard — Sun, 20 Jan 2019 14:22:16 GMT

Jason, could you expand on this option? I'm trying to get DHCP renew working well for wired guest.

My aim:
port has 802.1x falling back to MAB.
start in VLAN 150, move Guest to VLAN 400, Corp to 500.
[ignoring the Corp part here as only have a problem with Guest]

Authz Rules:
- Guest_Access: if IG=GuestEndpoints then result = Guest (set VLAN 400)
- Redirect_To_Hotspot: if Guest_Flow then result = Hotspot (Redirect to Hotspot portal (sets IG=GuestEndpoints, no AUP, CoA=Terminate))
- Redirect_To_CWA: if Wired_MAB then result = WebAuth (Redirect to CWA (Self Reg Guest) portal (device reg disabled, AUP, success URL set to force HTTP GET so HotSpot kicks in))

It runs through the policy quite nicely but the change of VLAN is not detected by the client. So far the best result i have is from setting a very short DHCP lease (2 minutes) in VLAN 150 - then, approx 16 pings time out from a continuous ping.

In Admin > System > Settings > Profiling the CoA is set to Reauth. I tried Port Bounce but the client didn't see that (perhaps because it's a VM). Also the CoA option on the Hotspot portal (Reauth or Terminate) doesn't appear to make any difference.

I am aware of the SmartPort Macro option but that requires certain switch models, and i want a more general solution.

I've seen a few references by you to a 3-rule solution but can't find or work out the detail.

Re: The workaround for VLAN DHCP Release

Jason Kunst — Sun, 20 Jan 2019 15:30:54 GMT

Did you try with a real client? Perhaps your vm port is not going up and down?

Are you sure your switch is bouncing port?

Re: The workaround for VLAN DHCP Release

grant.maynard — Mon, 21 Jan 2019 00:19:55 GMT

CoA setting in Admin > System > Settings > Profiling (Reauth or Port Bounce) seems to make little difference - if set to Port Bounce then bounce happens when i delete the Endpoint from ISE but not when it joins.
CoA setting in Hotspot portal (Reauth or Terminate) makes no difference i can see.

what is the solution you have alluded to?

Re: The workaround for VLAN DHCP Release

Jason Kunst — Mon, 21 Jan 2019 01:05:26 GMT

What ISE release are you running?
Have you tried 2.4 with latest patch>?

Re: The workaround for VLAN DHCP Release

grant.maynard — Mon, 21 Jan 2019 15:02:00 GMT

Running 2.2 Patch 12.

tried in the lab with 2.4 Patch 5 too - couldn't see any difference.

Re: The workaround for VLAN DHCP Release

Jason Kunst — Tue, 22 Jan 2019 03:00:26 GMT

Thanks I would recommend working through TAC as well.

Again its not recommended to do vlan change for these various reasons. I provided some options that might help workaround your issues but ultimately trying to steer away from that.

What would be a better solution would be to use segementation with SGTs so that you can separate devices using tags instead of VLAN/ips

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475