Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
7
Replies

ISE 2.0 - guest vlan dhcp scope gets full.

Laxmi Khajjannavar
Level 1
Level 1

‎02-13-2017 11:01 AM - edited ‎03-11-2019 12:27 AM

Hi All,
We have enabled the guest services at one of the site, where the guest vlan dhcp scope gets full.
As the guest ssid is broadcasted, everyone  across the site can latch to the ssid and the ip gets occupied by the endpoint /users even before the authentication takes places via guest portal 
Is it possible if the user/ endpoint is assigned with ip only after the authentication?? or if any other setting to configured..

Enabling "VLAN DHCP Release" options will it help in resolving the issue 

Any help would be appreciated!!!!

Regards

Laxmi 

Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎02-13-2017 01:39 PM

Hello Laxmi-

Here are my comments/suggestions:

1. If you are using CWA (Central Web Authentication) or LWA (Local Web Authentication), then the guest clients must have an IP address so they can browse to the guest portal

2. If possible, increase the IP pool for the guest users

3. Decrease the lease time for the IPs on the guest pool, thus reducing the amount of time a guest holds onto an IP address

4. You can create two DHCP pools/networks that are dedicated for pre and post authenticated users. For instance:

- Unauthenticated Guests: VLAN:10 with DHCP pool: 192.168.10.0/24

- Authenticated Guests: VLAN:20 with DHCP pool: 192.168.20.0/24

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Laxmi Khajjannavar
Level 1
Level 1
In response to nspasov

‎02-13-2017 11:12 PM

Thanks Neno for reply.
i have already tried with point 2 and 3 which you have mentioned.
To deploy point 4, if you can share any reference step or document.
But as per my understanding , Any guest connecting to the GUEST SSID as to  pass through both the VLANs 10 and 20 .
Again the Unauthenticated Guests Vlan 10 will be full.
Regards
Laxmi
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Laxmi Khajjannavar

‎02-14-2017 11:26 AM

I don't have specific documentation but it is essentially a VLAN override. The guest users will start in VLAN 10 and after they are successfully authenticated then ISE will push a different VLAN where the authenticated guest users will be placed. 

Now, you are correct, VLAN 10 can still be depleted with the issue that you described. So I think the only options that we have left are:

1. Make the IP pool even bigger. I know you have already done this but perhaps you can add even more

2. Separate the guest networks so each site gets their own guest subnet/VLAN

3. Play with the timers inside your WLC. You can look to decrease the "idle" and the "session timeout" timers and see if that helps. 

Thank you for rating helpful posts!

0 Helpful

Laxmi Khajjannavar
Level 1
Level 1
In response to nspasov

‎02-20-2017 12:42 AM

Thanks Neno... :)

will see how it goes

Regards

Laxmi K

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Laxmi Khajjannavar

‎02-20-2017 08:44 AM

Sounds like a plan! Please keep us posted!

Thank you for rating helpful posts!

0 Helpful

Laxmi Khajjannavar
Level 1
Level 1
In response to nspasov

‎02-20-2017 09:01 AM

Hi,

i haven't changed any timers on WLC,just decreased the DHCP lease from 1 day to 6:00 hrs and I already have /22 network pool. 

will observe for few days and post you with the results.

Thanks!! 

0 Helpful

Laxmi Khajjannavar
Level 1
Level 1
In response to Laxmi Khajjannavar

‎02-20-2017 09:09 AM

Hello Neno,

Can you look on to below link, if you can suggest anything on.

https://supportforums.cisco.com/discussion/13229631/cisco-ise-20-error-unable-send-sms

Thanks.,,Laxmi 

0 Helpful
Customers Also Viewed These Support Documents