https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508821#M520243 <HTML><HEAD></HEAD><BODY><P>Hi ISE community,</P><P></P><P>one of our customers have the following scenario:</P><P></P><UL><LI>Wired access where employees and guests can connect</LI><LI>Switchports by default on corporate VLAN X</LI><LI>CWA for any non-domain PC with self registration portal</LI></UL><P></P><P>Now the customer asked to differentiate Guest traffic based on VLAN (all users authenticated on CWA portal with guest credentials).</P><P></P><P>I have done some test but basically the problem is that the endpoint does not recognize that the VLAN has changed and the IP is not beign refreshed by the client.</P><P></P><P>Anyone have any suggestion in order to achieve that ?</P><P></P><P>The objective is to have something that could differentiate guest traffic like another VLAN for guest traffic, another network ecc. I have tried to see if SGT could be an option but basically the target device (web proxy) do not recognize the TrustSec tag.</P><P></P><P>Do you think that assign the same network on different VLAN using VRFs could be an option?</P><P></P><P>Thanks.</P><P></P><P>M</P></BODY></HTML> Thu, 02 Nov 2017 13:24:30 GMT matteodapozzo 2017-11-02T13:24:30Z https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508821#M520243 <HTML><HEAD></HEAD><BODY><P>Hi ISE community,</P><P></P><P>one of our customers have the following scenario:</P><P></P><UL><LI>Wired access where employees and guests can connect</LI><LI>Switchports by default on corporate VLAN X</LI><LI>CWA for any non-domain PC with self registration portal</LI></UL><P></P><P>Now the customer asked to differentiate Guest traffic based on VLAN (all users authenticated on CWA portal with guest credentials).</P><P></P><P>I have done some test but basically the problem is that the endpoint does not recognize that the VLAN has changed and the IP is not beign refreshed by the client.</P><P></P><P>Anyone have any suggestion in order to achieve that ?</P><P></P><P>The objective is to have something that could differentiate guest traffic like another VLAN for guest traffic, another network ecc. I have tried to see if SGT could be an option but basically the target device (web proxy) do not recognize the TrustSec tag.</P><P></P><P>Do you think that assign the same network on different VLAN using VRFs could be an option?</P><P></P><P>Thanks.</P><P></P><P>M</P></BODY></HTML> Thu, 02 Nov 2017 13:24:30 GMT https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508821#M520243 matteodapozzo 2017-11-02T13:24:30Z https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508822#M520244 <HTML><HEAD></HEAD><BODY><P>Hi ,yes you&nbsp; can use different VRF ,as you know i am sure u can have different VRF for management other for DATA ,other for VOICE , in my deployment i have them and guest VLAN . But i have only wireless guest not wired ,nvm. I think you can creat new <SPAN class="nested xwtBreadcrumb"><A>Authorization Profiles</A><SPAN class="xwtBreadcrumbSeparator"> &gt; </SPAN><SPAN class="xwtBreadcrumbText xwtBreadcrumbLast">New Authorization Profile and tag the VLAN you want for guest <IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/112928_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></SPAN></SPAN></P><P>After just add this profile to authorization rule .</P><P>You can test this too <IMG alt="" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/112929_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Thu, 02 Nov 2017 13:46:06 GMT https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508822#M520244 ognyan.totev 2017-11-02T13:46:06Z https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508823#M520245 <HTML><HEAD></HEAD><BODY><P>Thank you ognyan for your feedback, I appreciate.</P><P></P><P>I would like to stay away from VLAN DHCP Release option because we don't know if the Guest clients have ActiveX o<SPAN style="font-size: 10pt;">r Java support. Please let me know.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Thanks again for your answer!</SPAN></P></BODY></HTML> Thu, 02 Nov 2017 13:50:54 GMT https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508823#M520245 matteodapozzo 2017-11-02T13:50:54Z https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508824#M520246 <HTML><HEAD></HEAD><BODY><P>Existing discussions in the community on same</P><P></P><P>https://communities.cisco.com/thread/81859</P><P></P><P>https://communities.cisco.com/thread/78818?start=0&amp;tstart=0</P></BODY></HTML> Thu, 02 Nov 2017 14:14:52 GMT https://community.cisco.com/t5/network-access-control/vlan-change-coa/m-p/3508824#M520246 Jason Kunst 2017-11-02T14:14:52Z