I am setting up a CWA with Cisco ISE to authenticate Guests and Employees by Web and assign them to Two different vlans. The authentication pass. The authZ Profiles are affected. but The IP address did not change according to vlan until I renew it manually from console ( >ipconfig /release >ipconfig /renew). I desactivated Java in browsers, I activated it again and added the IP of the ISE to the Exception List in Java setting but the IP address still not change automatically.
Any Ideas how to fix this Issue?
check delay to release,delay to CoA ,delay to renew setting
delay to release time should be low since it needs to occur immediately after the applet is downloaded and before the Cisco ISE server directs the NAD to re-authenticate with a CoA request. The default release value is 1 second.
the delay to CoA delays the Cisco ISE from executing the CoA. Here, enough time should be given to allow the applet to download and perform the IP release on the client. The default value is 8 seconds.
The delay to renew value is added to the IP release value and does not begin timing until the control is downloaded. The renew should be given enough time so that the CoA is allowed to process and the new VLAN access granted. The default value is 12 seconds.
IP address is renewed if I use Internet Explorer and everything is fine, What's the matter with Chrome and Firefox? have I to use a CA trusted certificate (I work with a self-signed one).
I'm going to state this so that someone from Cisco can try to correct me: dynamic VLAN is not a viable solution for guest access with CWA!!!
The marketing and sales guys might tell you that it is, but with a massive variation of devices connecting with varying configurations it just CANNOT work.
It's fine for solutions where the client doesn't receive an IP address before auth, but not for CWA.
Don't believe them unless they can back it up with real world examples. I'd love to see it but haven't yet.
Various discussions online, face to face, cisco, other ISE engineers. Give it up. Get them in the VLAN they're staying in before you start and restrict their access dynamically, then open it up when authenticated.
Thank you for the update,
The big advantage of dynamic Vlan is mobility, employees can have their appropriate Vlans from any Switch. I would prefer Dot1x authentication but the site does't have an AD DC.
But, It seems that you're right IP Renewal won't continue existing with the increasing security restrictions on java and browsers.
Make sure you have put a check on the VLAN DHCP Release option.
If you are using ISE 1.3 then your path will be,
Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > VLAN DHCP Release Page Settings.
This affects the Central WebAuth (CWA) flow during final authorization when the network access changes the guest VLAN to a new VLAN. The guest’s old IP address must be released before the VLAN change and a new guest IP address must be requested through DHCP once the new VLAN access is in place. The IP address release renew operation varies by the browser and operating system used; Internet Explorer uses ActiveX controls, and Firefox and Google Chrome use Java applets. For non-Internet Explorer browsers, Java must be installed and enabled on the browser.
The VLAN DHCP Release option does not work on mobile devices. Instead, guests are requested to manually reset the IP address. This method varies by devices. For example, on Apple iOS devices, guests can select the Wi-Fi network and click the Renew Lease button.
For ISE 1.2 version, you can find the same option on the Guest Portal settings.
Hi Anas, Thank you for the reply.
I already did all what you said. The problem here still why Active X (Using Internet Explorer) force the IP renewal, and Java (Chrome and Firefox) doesn't. knowing that I have setting the exceptions for ISE bacause Java doesn't trust the auto-signed applications, and I tried with an old version but this still not working.