https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443310#M536299 <HTML><HEAD></HEAD><BODY><P>Its not recommended to do VLAN changes for guest as there are issues with java active X applets and you have no control of guest devices.</P><P></P><P>There is no supplicant like dot1x to control the IP change</P><P></P><P>If you must change IP addresses, then the recommendation would be to do either of the following:</P><P></P><P>· Don’t use the applets</P><P></P><P>· Setup a low DHCP lease time for the initial VLAN so when the user moves its updates quickly</P><P></P><P>· Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through</P><P></P><P>· Use dot1x for the guests by pre-registration or have them register for an account (make sure you use an account that’s activated immediately (from first login or make sure to check the bypass guest portal in the guest type)</P></BODY></HTML> Wed, 01 Feb 2017 17:37:21 GMT Jason Kunst 2017-02-01T17:37:21Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443309#M536298 <HTML><HEAD></HEAD><BODY><P>HI Experts,</P><P></P><P>I have implemented a rule for my customer to have Guest users go through CWA redirect and after authorization get placed into the Guest VLAN.&nbsp; The entire flow works as expected the Guest user is first in the Corp VLAN (obtains ip from that VLAN) to access the CWA portal and then gets put into the Guest VLAN. The issue I am seeing is that once the user is put into the Guest VLAN the IP Address release/renew does not occur right away. It takes 10-15 minutes if nothing is done.Manual renewal of IP works right away.</P><P></P><P>If I enable the "VLAN DHCP Release Page" setting on the portal&nbsp; then the user gets prompted for installing the applet and then the ip is renewed automatically. <SPAN style="font-size: 10pt;">I have tested the applet on Windows and it works. </SPAN></P><P></P><P>My questions are below:</P><P></P><P>1. Is there another way to handle this without user intervention. Some way that once put into the Guest VLAN the DHCP renew would automatically be initiated?</P><P>2. I have tested the Java Applet on Windows and it seems to work what about other guest endpoints&nbsp; OSX etc. Any known issues or gotchas for non windows devices.</P><P></P><P>Thanks</P><P></P><P>Nadeem</P></BODY></HTML> Wed, 01 Feb 2017 17:16:30 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443309#M536298 nadeekha 2017-02-01T17:16:30Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443310#M536299 <HTML><HEAD></HEAD><BODY><P>Its not recommended to do VLAN changes for guest as there are issues with java active X applets and you have no control of guest devices.</P><P></P><P>There is no supplicant like dot1x to control the IP change</P><P></P><P>If you must change IP addresses, then the recommendation would be to do either of the following:</P><P></P><P>· Don’t use the applets</P><P></P><P>· Setup a low DHCP lease time for the initial VLAN so when the user moves its updates quickly</P><P></P><P>· Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through</P><P></P><P>· Use dot1x for the guests by pre-registration or have them register for an account (make sure you use an account that’s activated immediately (from first login or make sure to check the bypass guest portal in the guest type)</P></BODY></HTML> Wed, 01 Feb 2017 17:37:21 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443310#M536299 Jason Kunst 2017-02-01T17:37:21Z https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443311#M536300 <HTML><HEAD></HEAD><BODY><P>Thanks Jason!!</P><P>Those were great alternative solutions. I will ask the customer to give those a try and see how it goes.</P><P></P><P></P><P>Nadeem Khan CISSP, CRISC</P><P>Network Consulting Engineer</P><P>Cisco Services</P><P>Cisco Security Solutions - Integration</P><P>nadeekha@cisco.com</P><P>Mobile: +1 416 8199934</P><P></P><P>Cisco.com - http://www.cisco.com</P><P>This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.</P><P>For corporate legal information go to:</P><P>http://www.cisco.com/web/about/doing_business/legal/cri/index.html</P></BODY></HTML> Wed, 01 Feb 2017 17:45:45 GMT https://community.cisco.com/t5/network-access-control/ise-2-1-wired-guest-flow-vlan-ip-release-renew-issue/m-p/3443311#M536300 nadeekha 2017-02-01T17:45:45Z