Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
5
Helpful
2
Replies

Cisco ISE Windows 10 DHCP issue... Log in with a local user, the VLANS do not change... Must perform IP address renew

Go to solution
AndrewWestPMP60307
Level 1
Level 1

‎02-04-2020 10:13 AM

 

Our Windows 10 environments, when logging in with a local user, the VLANS do not change and the user still has to do an IP address renew.  What are some Cisco Community suggestions to overcome this pathology?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-04-2020 02:25 PM

Dynamic VLAN assignment can be tricky as the endpoint supplicant needs to be able to detect the VLAN change and request a new IP address from DHCP. The vast majority of endpoints cannot natively do this on Wired connections.

 

If the switch is showing the VLAN change, but the endpoint is just not detecting it, there are a few options to work around this:

  1. Use a 3rd-party supplicant like AnyConnect NAM that can detect dynamic VLAN changes
  2. For Low-Impact Mode, block DHCP in your pre-auth ACL (this can have adverse affects for endpoints that are sensitive to DHCP timeouts)
  3. Move to Closed Mode (this can also have adverse affects for sensitive endpoints)
  4. If using a Linux- or Unix-based DHCP server, set an aggressive DHCP lease (in seconds) in the scope for your starting VLAN
  5. Consult Microsoft to see if the NCSI (Network Connection Status Indicator) can be tweaked to help detect VLAN changes

Cheers,

Greg

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-04-2020 11:59 AM

The solution depends on what the actual issue is.  Assuming you are doing dynamic VLAN assignment using ISE.  Are the authentications successful and the correct authorization profile being pushed down to the switch?  Or are the authentications failing because the account is a local user?  If they are failing, then that is the issue and the authorization profile won't be assigned.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-04-2020 02:25 PM

Dynamic VLAN assignment can be tricky as the endpoint supplicant needs to be able to detect the VLAN change and request a new IP address from DHCP. The vast majority of endpoints cannot natively do this on Wired connections.

 

If the switch is showing the VLAN change, but the endpoint is just not detecting it, there are a few options to work around this:

  1. Use a 3rd-party supplicant like AnyConnect NAM that can detect dynamic VLAN changes
  2. For Low-Impact Mode, block DHCP in your pre-auth ACL (this can have adverse affects for endpoints that are sensitive to DHCP timeouts)
  3. Move to Closed Mode (this can also have adverse affects for sensitive endpoints)
  4. If using a Linux- or Unix-based DHCP server, set an aggressive DHCP lease (in seconds) in the scope for your starting VLAN
  5. Consult Microsoft to see if the NCSI (Network Connection Status Indicator) can be tweaked to help detect VLAN changes

Cheers,

Greg

Customers Also Viewed These Support Documents