https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518591#M530991 <HTML><HEAD></HEAD><BODY><P>Which portion of the config from ISE are you interested in?</P><P></P><P>Switchside is pretty standard closed mode. We cannot have VLAN move and DHCP Guest in Low Impact mode for it introduces catch 22 logic problem: client needs an IP to get to captive portal and since the port is auth open it will always get an IP from the starting VLAN. Of course you can have all end points start in the guest VLAN but I personally would recommend against it.</P><P></P><P>Here is the switch port config:</P><P></P><P>Rack01SW05(config)#do sh run inte g 1/0/1</P><P>Building configuration...</P><P></P><P></P><P>Current configuration : 570 bytes</P><P>!</P><P>interface GigabitEthernet1/0/1</P><P> switchport access vlan 50</P><P> switchport mode access</P><P> switchport nonegotiate</P><P> switchport voice vlan 51</P><P> authentication control-direction in</P><P> authentication event fail action next-method</P><P> authentication host-mode multi-auth</P><P> authentication order dot1x mab</P><P> authentication priority dot1x mab</P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation restrict</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> dot1x max-reauth-req 1</P><P> spanning-tree portfast</P><P>end</P><P>!</P><P>Rack01SW05(config)#</P></BODY></HTML> Thu, 10 May 2018 02:17:32 GMT starvoise 2018-05-10T02:17:32Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518581#M530980 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>On a previous post I had a question about Wired Guest Flow scenario that required a VLAN switch and an IP renew on the new VLAN.</P><P>Jason Kunst had recommended many solutions to resolve the issue my customer was experiencing.</P><P></P><P>Now My customer wants to look at applying the below solution for the VLAN switch / DHCP IP renew scenario.</P><P></P><P>Jason:·"Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through"</P><P></P><P></P><P>Unfortunately I am not sure exactly how to configure the above flow recommended by Jason. Please see attached screenshot of what I currently have. How do I introduce the Hotspot Portal to this Policy along with CWA?<IMG alt="Screen Shot 2017-02-26 at 9.38.40 AM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/104901_Screen Shot 2017-02-26 at 9.38.40 AM.png" style="height: 91px; width: 620px;" /></P><P></P><P>Thanks in advance</P><P></P><P>Nadeem Khan</P></BODY></HTML> Sun, 26 Feb 2017 14:55:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518581#M530980 nadeekha 2017-02-26T14:55:16Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518582#M530981 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would like to add a question to the same case - ISE 2.1 Wired Guest Flow VLAN IP Release/Renew Issue.</P><P>Java applet for DHCP release/renew does not work with Mozilla browser on Windows 7 and 10, there is a bug about that.</P><P>It does not work with Chrome as well.</P><P>Active X works with IE, but not with Edge.</P><P></P><P>Question: Is it possible to modify the Guest portal flow, so that Radius CoA will not send reauth, but port bounce?</P><P>How could I configure port bounce in order to get a new IP address in the new VLAN?</P><P></P><P>Thanks,</P><P>Vlad</P></BODY></HTML> Sun, 26 Feb 2017 15:18:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518582#M530981 Vladislav Atanasov 2017-02-26T15:18:16Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518583#M530982 <HTML><HEAD></HEAD><BODY><P>Not exactly sure of the needed flow and types of users</P><P></P><P>Recommended disabling auto registration on the credentialed portal you are using</P><P></P><P>yes inject a rule between the initial redirect and then the final permission off endpoint group with the following</P><P></P><P>Create a guest type called VLANCHANGE and use for self-reg</P><P>Create an endpoint&nbsp; group VLANCHANGE </P><P></P><P>if Guest_flow and guest_type VLANCHANGE equals X then redirect to hotspot portal that registers into endpoint group VLAN CHANGE, make sure Hotspot Portal is set to terminate not re-auth (ISE 2.1 patch 1 and higher)</P><P></P><P>The flow would be like this</P><P>1. User redirected to credentialed portal</P><P>2. after login, COA takes place and redirected to hotspot portal for device registration</P><P>3. After registration COA disconnect is sent</P><P>4. device comes back in using endpoint group authorization in new VLAN</P></BODY></HTML> Mon, 27 Feb 2017 14:53:57 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518583#M530982 Jason Kunst 2017-02-27T14:53:57Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518584#M530983 <HTML><HEAD></HEAD><BODY><P>unfortunately the release, renew is not recommended as you can see many issues you run into. please reach out with your account team if you are needing this functionality.</P><P></P><P>The recommended way to approach would be what I suggested in the answer to this thread.</P><P></P><P>We also recommend staying away from VLAN change for guests. If you need it try using dot1x for your guest flows</P></BODY></HTML> Mon, 27 Feb 2017 14:55:47 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518584#M530983 Jason Kunst 2017-02-27T14:55:47Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518585#M530984 <HTML><HEAD></HEAD><BODY><P>Please see this <A href="https://community.cisco.com/thread/81859">Solution for Change of VLAN for wired Guests using Smart Port Macros</A></P></BODY></HTML> Fri, 19 May 2017 21:42:11 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518585#M530984 umahar 2017-05-19T21:42:11Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518586#M530985 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>One question, does this configuration with CoA disconnect should force the client the request a new IP address after the VLAN change ? </P><P></P><P>Thanks.</P><P></P><P>Matteo</P></BODY></HTML> Wed, 25 Oct 2017 10:26:02 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518586#M530985 matteodapozzo 2017-10-25T10:26:02Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518587#M530986 <HTML><HEAD></HEAD><BODY><P>Yes That’s what I explained above but it depends on your switch behavior, please see @utkarsh post above</P></BODY></HTML> Wed, 25 Oct 2017 12:07:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518587#M530986 Jason Kunst 2017-10-25T12:07:22Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518588#M530987 <HTML><HEAD></HEAD><BODY><P>Matteo,</P><P></P><P>We have shown and tested change of VLAN functionality using macros and ISE to atleast two customers who seemed quite convinced. Nothing has been put into production yet. </P><P>In the PPT posted in the thread you would notice that we are disabling dot1x on the port after a guest connects using macros to avoid the guest session running into a loop.</P><P>However recently we found another solution where we can send the VLAN id in the radius request and make an authorization rule on ISE based on Guest VLAN to avoid the loop.</P><P>This way we can achieve change of VLAN as well as retain the mab session/ ip phone session on that port. </P></BODY></HTML> Wed, 25 Oct 2017 15:23:52 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518588#M530987 umahar 2017-10-25T15:23:52Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518589#M530988 <HTML><HEAD></HEAD><BODY><P>Matteo,</P><P></P><P>You would have to change CoA response to be port-bounce which will force the client to re-ip in the guest vlan. It is fully sported feature and has been working fine in my labs. If you need more support, please do reach to your account team, they should be able to help you with exact configuration steps.</P><P></P><P>I would avoid using macros for guest for it is gong to be challenging to force port clean up when accounts expire.</P></BODY></HTML> Mon, 12 Feb 2018 20:33:55 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518589#M530988 starvoise 2018-02-12T20:33:55Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518590#M530989 <HTML><HEAD></HEAD><BODY><P>Hi Starvoise, </P><P></P><P>Thank you for your feedback. Please can you share your configuration on the switch side and on the ISE side?</P><P></P><P>Thanks,</P><P></P><P>Matteo</P></BODY></HTML> Wed, 14 Feb 2018 08:25:40 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518590#M530989 matteodapozzo 2018-02-14T08:25:40Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518591#M530991 <HTML><HEAD></HEAD><BODY><P>Which portion of the config from ISE are you interested in?</P><P></P><P>Switchside is pretty standard closed mode. We cannot have VLAN move and DHCP Guest in Low Impact mode for it introduces catch 22 logic problem: client needs an IP to get to captive portal and since the port is auth open it will always get an IP from the starting VLAN. Of course you can have all end points start in the guest VLAN but I personally would recommend against it.</P><P></P><P>Here is the switch port config:</P><P></P><P>Rack01SW05(config)#do sh run inte g 1/0/1</P><P>Building configuration...</P><P></P><P></P><P>Current configuration : 570 bytes</P><P>!</P><P>interface GigabitEthernet1/0/1</P><P> switchport access vlan 50</P><P> switchport mode access</P><P> switchport nonegotiate</P><P> switchport voice vlan 51</P><P> authentication control-direction in</P><P> authentication event fail action next-method</P><P> authentication host-mode multi-auth</P><P> authentication order dot1x mab</P><P> authentication priority dot1x mab</P><P> authentication port-control auto</P><P> authentication periodic</P><P> authentication timer reauthenticate server</P><P> authentication violation restrict</P><P> mab</P><P> dot1x pae authenticator</P><P> dot1x timeout tx-period 5</P><P> dot1x max-reauth-req 1</P><P> spanning-tree portfast</P><P>end</P><P>!</P><P>Rack01SW05(config)#</P></BODY></HTML> Thu, 10 May 2018 02:17:32 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3518591#M530991 starvoise 2018-05-10T02:17:32Z