Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3451
Views
10
Helpful
8
Replies

Cisco ISE IP Renewal not working

Bouchaib EL-GHOREFY
Level 1
Level 1

‎02-16-2015 10:53 AM - edited ‎03-10-2019 10:27 PM

Hi all,

I am setting up a CWA with Cisco ISE to authenticate Guests and Employees by Web and assign them to Two different vlans. The authentication pass. The authZ Profiles are affected. but The IP address did not change according to vlan until I renew it manually from console ( >ipconfig /release >ipconfig /renew). I desactivated Java in browsers, I activated it again and added the IP of the ISE to the Exception List in Java setting but the IP address still not change automatically.

Any Ideas how to fix this Issue?
 

Thank you.

Labels:
0 Helpful
8 Replies 8

mohanak
Cisco Employee
Cisco Employee

‎02-18-2015 01:53 AM

check delay to release,delay to CoA ,delay to renew  setting

 

delay to release time should be low since it needs to occur  immediately  after the applet is downloaded and before the Cisco ISE  server directs  the NAD to re-authenticate with a CoA request. The  default release  value is 1 second.

 

the delay to CoA delays the Cisco ISE from executing the CoA. Here,   enough time should be given to allow the applet to download and perform   the IP release on the client. The default value is 8 seconds.

 

The delay to renew value is added to the IP release value and does not   begin timing until the control is downloaded. The renew should be given   enough time so that the CoA is allowed to process and the new VLAN   access granted. The default value is 12 seconds.

0 Helpful

Bouchaib EL-GHOREFY
Level 1
Level 1
In response to mohanak

‎02-18-2015 07:30 AM

Thank you mohanak for the reply, but I tested with the default values of these Delays and I changed them (giving them enough time) and still not working.

:(

0 Helpful

Bouchaib EL-GHOREFY
Level 1
Level 1
In response to Bouchaib EL-GHOREFY

‎02-19-2015 07:35 AM

Hello,

IP address is renewed if I use Internet Explorer and everything is fine, What's the matter with Chrome and Firefox?  have I to use a CA trusted certificate (I work with a self-signed one).

Any suggestions...

 

0 Helpful

bikespace
Level 1
Level 1
In response to Bouchaib EL-GHOREFY

‎03-03-2015 03:47 PM

I'm going to state this so that someone from Cisco can try to correct me: dynamic VLAN is not a viable solution for guest access with CWA!!!

The marketing and sales guys might tell you that it is, but with a massive variation of devices connecting with varying configurations it just CANNOT work.

It's fine for solutions where the client doesn't receive an IP address before auth, but not for CWA.

Don't believe them unless they can back it up with real world examples. I'd love to see it but haven't yet.

Various discussions online, face to face, cisco, other ISE engineers. Give it up. Get them in the VLAN they're staying in before you start and restrict their access dynamically, then open it up when authenticated.

jan.nielsen
Level 7
Level 7
In response to bikespace

‎03-03-2015 03:51 PM

I completely agree, this is not a usable design, it does not work properly for anything but dot1x authentication.

0 Helpful

Bouchaib EL-GHOREFY
Level 1
Level 1
In response to bikespace

‎03-04-2015 02:52 AM

Thank you for the update,

The big advantage of dynamic Vlan is mobility, employees can have their appropriate Vlans from any Switch. I would prefer Dot1x authentication but the site does't have an AD DC. 

But, It seems that you're right IP Renewal won't continue existing with the increasing security restrictions on java and browsers.

thx.

 

 

0 Helpful

Anas Naqvi
Level 1
Level 1

‎03-05-2015 07:05 PM

Hi Bouchaib,

Make sure you have put a check on the VLAN DHCP Release option.

If you are using ISE 1.3 then your path will be,

Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > VLAN DHCP Release Page Settings.

This affects the Central WebAuth (CWA) flow during final authorization when the network access changes the guest VLAN to a new VLAN. The guest’s old IP address must be released before the VLAN change and a new guest IP address must be requested through DHCP once the new VLAN access is in place. The IP address release renew operation varies by the browser and operating system used; Internet Explorer uses ActiveX controls, and Firefox and Google Chrome use Java applets. For non-Internet Explorer browsers, Java must be installed and enabled on the browser.

The VLAN DHCP Release option does not work on mobile devices. Instead, guests are requested to manually reset the IP address. This method varies by devices. For example, on Apple iOS devices, guests can select the Wi-Fi network and click the Renew Lease button.

 

For ISE 1.2 version, you can find the same option on the Guest Portal settings.

Preview file
55 KB

Bouchaib EL-GHOREFY
Level 1
Level 1
In response to Anas Naqvi

‎03-06-2015 04:18 AM

Hi Anas, Thank you for the reply.

I already did all what you said. The problem here still why Active X (Using Internet Explorer) force the IP renewal, and Java (Chrome and Firefox) doesn't.  knowing that I have setting the exceptions for ISE bacause Java doesn't trust the auto-signed applications, and I tried with an old version but this still not working.

Thx

 

 

 

 

 

Preview file
10 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents