Solved: Re: Dhcp Renew for ISE Dynamic Vlan

yusuf76225 · ‎11-05-2020

Dear Expert.

i want to ask regarding dynamic vlan feature at ISE.

i use ISE 2.6 and windows laptop for testing.

the customer requirement for wired will be like this.

if wired endpoint connected, there will be pop up login
If endpoint login using AD username, the endpoint will be move to new vlan, which is employee vlan

i've succed pop up the login page, and already enable "dhcp release" at the portal settings.

But after the laptop login using AD account, the portal asking to install and enable java plugin.

After looking arround, i found out that java plugin is not supported anymore at all browser because of security issue. thats why i cant enable java plugin at the browser.

Is there another workaround for this feature ?

Damien Miller · ‎11-05-2020

Yes, this "dhcp release" portal feature is long past it's prime due to the client requirements. Chrome, Firefox, and Safari killed support for this in their browsers years ago now. Internet explorer was a long time hold out, but since so few people use IE, the feature essentially died.

This thread offers a potential more modern solution for dynamic vlan, but to be fair I have not tried it. The port bounce provides the required action that initiates the client dhcp process again.
https://community.cisco.com/t5/network-access-control/solution-for-change-of-vlan-for-wired-guests-using-smart-port/m-p/3432614

View solution in original post

Damien Miller · ‎11-05-2020

Yes, this "dhcp release" portal feature is long past it's prime due to the client requirements. Chrome, Firefox, and Safari killed support for this in their browsers years ago now. Internet explorer was a long time hold out, but since so few people use IE, the feature essentially died.

This thread offers a potential more modern solution for dynamic vlan, but to be fair I have not tried it. The port bounce provides the required action that initiates the client dhcp process again.
https://community.cisco.com/t5/network-access-control/solution-for-change-of-vlan-for-wired-guests-using-smart-port/m-p/3432614

yusuf76225 · ‎11-05-2020

Thank you for your insight.

is there another workaround to fulfill my customer requirement except using macro?

because someone posted in that thread, there is some problem when he is using macro.

Massimo Baschieri · ‎11-05-2020

Vlan change for mab hosts has always been troublesome.

You can try landing hosts on a temporary vlan with a very short dhcp lease, e.g. 1 minute, this way hosts should renew dhcp by themselves once moved to the destination vlan.

Unfortunately windows dhcp client seems not always behaving as expected, maybe it's not very happy with very short dhcp leases, or maybe it's because of some personal firewall installed.

Greg Gibbs · ‎11-08-2020

Another option would be to configure a 'pre-auth' ACL on the switchport that blocks DHCP in the starting VLAN. Once the authorisation process completes and the VLAN assignment is changed, you would then also push a permissive downloadable ACL to override the restrictive pre-auth ACL.

The only caveat is that some 'headless' or IoT devices might be sensitive to DHCP timeouts and stop sending requests after a number of timeouts. You would want to test this approach with your endpoints to see if it causes issues.

Massimo Baschieri · ‎11-08-2020

I tried the smartport macro solution time ago in a lab and it seem to work, but if your host is behind an ip phone or the port has multiple hosts connected it's a mess.