Solved: Captive Portal and CoA

nanu · ‎02-20-2020

Hi team,

Maybe I'm missing something but I have the following situation with captive portal (may be cannot be achieved).

I deployed 1 SSID (this behaviour happens in 9K8 and Meraki), this SSID it's type captive portal (in ISE), so the user is redirected and can acces to the network.

I created 3 Groups, 2 of them are ISE locally for Guest and Contractor, and the third one is tied to AD group, so with one SSID I offer access to those groups. The problem comes when I try to assign differents VLAN for each one. ISE pulls the new VLAN to the AP but the clients "get stuck" with the old IP, if I disconnect them and reconnect again they will receive the correct IP... Its like CoA isn't work in this situations.

There is a way to solve this situation? Or I need to deploy 3 SSID one for each case?

Thank you in advance!

hslai · ‎02-21-2020

As long as different IP subnets used before and after web auth completions, we would see this issue. Endpoints need some help in detecting IP address changes. In case of DOT1X, some of the supplicants might be able to detect the change and fresh the IP accordingly. Without DOT1X, it usually need bouncing the connections. Best to avoid subnet changes. Else, try using a short lease time for the pre-auth DHCP scope. Another idea is to use the same subnet in two different VLANs so the clients may keep the same IP address.

View solution in original post

hslai · ‎02-21-2020

As long as different IP subnets used before and after web auth completions, we would see this issue. Endpoints need some help in detecting IP address changes. In case of DOT1X, some of the supplicants might be able to detect the change and fresh the IP accordingly. Without DOT1X, it usually need bouncing the connections. Best to avoid subnet changes. Else, try using a short lease time for the pre-auth DHCP scope. Another idea is to use the same subnet in two different VLANs so the clients may keep the same IP address.