cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

110
Views
0
Helpful
1
Replies
Cisco Employee

COA to Change Endpoint VLAN when Posture status is Compliant, MacOS does not refresh IP.

Experts,

 

We would like to assign different Vlan when Posture checking results to Compliant or Non-compliant as below.

 

Posture Compliant ---> AuthZ profile Vlan100 (10.1.1.0/24)

Posture Non-compliant or Posture Unknown ---> AuthZ profile Vlan200 (10.1.2.0/24)

 

On Windows (we are using NAM as the supplicant), everything seems works fine and the call flow is;

Endpoint onboard ->> Endpoint gets an IP in 10.1.2.0/24 (because of endpoint belongs to Unknown before/during posture check) -->> Posture completed and confirm Compliant -->> Endpoint refresh new IP to 10.1.1.0/24

 

The issue is on MacOS in the last step. MacOS somehow never refreshes his IP address.

The question is 'Is it not something commonly used?'. 

 

I have gone through some online articles and understand we could use dACL or SGT to achieve limiting the non-compliant device talks to Internal resources. Just want to confirm if this depends on endpoint behavior or something we should change on ISE or WLC/Switch.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: COA to Change Endpoint VLAN when Posture status is Compliant, MacOS does not refresh IP.

This behaviour depends on the end supplicant. Typically when you change the VLAN on the fly, supplicant will not be aware of the VLAN change and may never refresh the IP address. NAM has a periodic check done to identify VLAN changes by pinging the default gateway/ARP requests and if it recognizes a change in the VLAN, it signals the OS to change the IP address. If I were you, I would rather uses dACLs and SGTs since they do not have any dependency on the supplicants. Also, try changing the AnyConnect Posture Profile value of “Ping or ARP” under IP Address Change to ARP and see if it helps.
1 REPLY 1
Cisco Employee

Re: COA to Change Endpoint VLAN when Posture status is Compliant, MacOS does not refresh IP.

This behaviour depends on the end supplicant. Typically when you change the VLAN on the fly, supplicant will not be aware of the VLAN change and may never refresh the IP address. NAM has a periodic check done to identify VLAN changes by pinging the default gateway/ARP requests and if it recognizes a change in the VLAN, it signals the OS to change the IP address. If I were you, I would rather uses dACLs and SGTs since they do not have any dependency on the supplicants. Also, try changing the AnyConnect Posture Profile value of “Ping or ARP” under IP Address Change to ARP and see if it helps.