topic ISE Guest Flow / Vlan Change after Authentication in Network Access Control

ISE Guest Flow / Vlan Change after Authentication

awatson20 — Fri, 19 Mar 2021 15:13:03 GMT

We have a traditional guest flow that redirects clients to a guest portal page in ISE, and after authentication, they are associated with an SSID configured for that WLAN on the WLC. Is is possible to place specific clients based on the NAD(WLC) on a different vlan after authenticating? We would not want this to apply to all guest clients, just clients that are connected to certain WLC's. The vlan would be different for each WLC/site we would want to perform this at. So, different WLC and VLAN. How can this be easily achieved without extensive change to the authorization rule set in ISE?

Re: ISE Guest Flow / Vlan Change after Authentication

Marcelo Morais — Fri, 19 Mar 2021 15:42:41 GMT

Hi @awatson20 ,

please take a look at: ISE Self Registered Guest Portal Configuration Example.

"... There is a similar configuration for Accounting. It is also advised to configure the WLC to send SSID in the Called Station ID attribute, which allows the ISE to configure flexible rules based on SSID..."

Hope this helps !!!

Re: ISE Guest Flow / Vlan Change after Authentication

hslai — Sat, 20 Mar 2021 19:59:08 GMT

awatson20, the sequence of events is not exactly what you described.

A guest SSID/WLAN is configured for open/PSK but with MAC filtering to check against ISE and ISE has policies to redirect the endpoints to an ISE guest portal and to grant more access after guest logins.
An endpoint associates with the guest SSID/WLAN
The user gets presented with the ISE guest portal, signs in, accept AUP, etc.
ISE triggers authorize-only CoA and WLC performs another auth against ISE and grant more access to the endpoint.

Thus, the endpoint does not move the SSID/WLAN after sign-in. Please note that each SSID/WLAN has a default VLAN, which can be different from WLC to WLC and this default VLAN is what the endpoints get unless overridden by ISE. Although it possible to have different subnets before and after the guest sign-in, it's not recommended before the endpoint is unlikely to automatically refresh its IP address and get a new assignment from the new subnet. If you have to do so, then consider to have either a short DHCP lease/refresh interval or the same IP subnet in pre-auth and post-auth VLANs.