Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5945
Views
5
Helpful
20
Replies

CoA Terminate in Hotspot portal is not initiating DHCP refresh

Go to solution
umahar
Cisco Employee
Cisco Employee

‎03-16-2017 03:17 PM

Hi,

I have configured my hotspot portal to send CoA terminate so that I could push guest on Wired to different VLAN but I dont see a session terminated of wired endpoint and the endpoint do not refresh their IPs in the new VLAN.

Is CoA Terminate same as CoA PortBounce ?

It does not look like from the packet capture as it does not have port-bounce cisco AVP attribute.

When I issue a CoA Port Bounce from ISE the endpoints come in the correct IP range.

I know that in the past Jason has mentioned that Vlan change is not recommended in guest portals due to inconsistency but I thought CoA Terminate should still be able to bounce the port.

20 Replies 20

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ajc

‎10-23-2017 12:54 PM

In case you are asking about the AVP, that would be in the NAD profile as Craig responded on Mar 17, 2017 11:50 AM.

For the CoA option in ISE hotspot portals, you would need ISE 2.1 Patch 1 or above. Below shows a screenshot from ISE 2.2. CoA Terminate is the disconnect option.

Screen Shot 2017-10-23 at 12.48.25 PM.png

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to ajc

‎10-23-2017 02:30 PM

Change of vlan is not generally recommended because port is not bounced and no new dhcp is issued.

We are using macros to achieve port bounce instead of CoA

Thanks,

Utkarsh

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-17-2017 09:35 AM

The key use case was wireless hotspot issues present before ISE 2.1 patch 1. The problem was that we would send a terminate after accepting an AUP.  This caused the device to go through and scan SSID list and DHCP over and took upwards of 30 seconds. If there was a more preferred network higher in the scan list then it would try to connect to that instead. We added the ability in hotspot portal to send a re-auth which alleviated this problem.


Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-17-2017 11:29 AM

Jason I am testing this in wired and hence I do not see any difference in the behaviour between CoA Reauth and CoA Terminate. Even the packet captures of CoA Disconnect seem similar.

How are you telling the WLC to behave differently between these two options ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎03-17-2017 11:32 AM

I am not telling the WLC to behave differently, its up to the hotspot portal to send a re-auth or disconnect, sorry it doesn’t work the same for wired side. It would be a nice enhancement to set this per portal. I know craig has some enhancement ideas around that

0 Helpful

Go to solution
juanfaure
Level 1
Level 1
In response to Jason Kunst

‎06-13-2022 09:58 PM

Hi Jason,

 

Could you please provide some reference about wired guest external captive portal redirection using ISE?

I am looking for some docs about it but no luck

 

Kind Regards,

 

Juan 

 

0 Helpful
Customers Also Viewed These Support Documents