07-19-2021 04:07 AM - edited 07-19-2021 10:58 AM
Hello.
I have a problem with supplicant new IP address after CoA.
In my scenario, all machines authenticated with valid certificate, will receive a temporary IP address. After the successful login (by configuring EAP chaining using machine cert and user authentication with EAP-MSCHAP v.2 over EAP-TEAP or similure configuration with Anyconnect) temporary IP address should be release and new VLAN and IP address based on the Authz profile most be set on machines.
My problem is getting new IP address. I check the authentication session under the switch port. I can confirm the dACL and VLAN changing, and also I can see the CoA working properly. Because my initial IP address will remove for a while and then the temp IP back again. Then in windows I can see the temp IP is still there.
I can get the new IP address just with disconnecting and reconnecting the supplicant connection.
I have the same status with Cisco Anyconnect. I should click on the Anyconnect connection icon over NAM profile name to get new IP address.
How can I solve the completely releasing the initial IP address and getting the new IP without disconnecting and reconnecting the network connection ?
Cisco ISE Version : 2.7 Patch 3
Windows 10 version 2004
any connect : 4.10
Solved! Go to Solution.
07-25-2021 04:52 PM
This is a common issue with dynamic VLAN assignment as the endpoint needs to be able to detect that the network change has occurred and understand that it needs to request a new IP address via DHCP. Some native supplicants have mechanisms that attempt to resolve these issues, but they are not 100% effective.
The AnyConnect Posture Module supports a VLAN change detection mechamism, but that does not help if you're not using the Posture feature.
Two methods I have seen customers use to mitigate these common issues:
07-23-2021 08:12 AM
Hello Iman, could you please advise how did you fix this problem ?. I have the same issue.
Regards,
Edouard.
07-25-2021 04:52 PM
This is a common issue with dynamic VLAN assignment as the endpoint needs to be able to detect that the network change has occurred and understand that it needs to request a new IP address via DHCP. Some native supplicants have mechanisms that attempt to resolve these issues, but they are not 100% effective.
The AnyConnect Posture Module supports a VLAN change detection mechamism, but that does not help if you're not using the Posture feature.
Two methods I have seen customers use to mitigate these common issues:
03-12-2023 08:57 PM
does this applies on DACL too or is not posible to have the same problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide