02-01-2017 09:16 AM
HI Experts,
I have implemented a rule for my customer to have Guest users go through CWA redirect and after authorization get placed into the Guest VLAN. The entire flow works as expected the Guest user is first in the Corp VLAN (obtains ip from that VLAN) to access the CWA portal and then gets put into the Guest VLAN. The issue I am seeing is that once the user is put into the Guest VLAN the IP Address release/renew does not occur right away. It takes 10-15 minutes if nothing is done.Manual renewal of IP works right away.
If I enable the "VLAN DHCP Release Page" setting on the portal then the user gets prompted for installing the applet and then the ip is renewed automatically. I have tested the applet on Windows and it works.
My questions are below:
1. Is there another way to handle this without user intervention. Some way that once put into the Guest VLAN the DHCP renew would automatically be initiated?
2. I have tested the Java Applet on Windows and it seems to work what about other guest endpoints OSX etc. Any known issues or gotchas for non windows devices.
Thanks
Nadeem
Solved! Go to Solution.
02-01-2017 09:37 AM
Its not recommended to do VLAN changes for guest as there are issues with java active X applets and you have no control of guest devices.
There is no supplicant like dot1x to control the IP change
If you must change IP addresses, then the recommendation would be to do either of the following:
· Don’t use the applets
· Setup a low DHCP lease time for the initial VLAN so when the user moves its updates quickly
· Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through
· Use dot1x for the guests by pre-registration or have them register for an account (make sure you use an account that’s activated immediately (from first login or make sure to check the bypass guest portal in the guest type)
02-01-2017 09:37 AM
Its not recommended to do VLAN changes for guest as there are issues with java active X applets and you have no control of guest devices.
There is no supplicant like dot1x to control the IP change
If you must change IP addresses, then the recommendation would be to do either of the following:
· Don’t use the applets
· Setup a low DHCP lease time for the initial VLAN so when the user moves its updates quickly
· Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through
· Use dot1x for the guests by pre-registration or have them register for an account (make sure you use an account that’s activated immediately (from first login or make sure to check the bypass guest portal in the guest type)
02-01-2017 09:45 AM
Thanks Jason!!
Those were great alternative solutions. I will ask the customer to give those a try and see how it goes.
Nadeem Khan CISSP, CRISC
Network Consulting Engineer
Cisco Services
Cisco Security Solutions - Integration
nadeekha@cisco.com
Mobile: +1 416 8199934
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide