02-26-2017 06:55 AM
Hi Guys,
On a previous post I had a question about Wired Guest Flow scenario that required a VLAN switch and an IP renew on the new VLAN.
Jason Kunst had recommended many solutions to resolve the issue my customer was experiencing.
Now My customer wants to look at applying the below solution for the VLAN switch / DHCP IP renew scenario.
Jason:·"Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through"
Unfortunately I am not sure exactly how to configure the above flow recommended by Jason. Please see attached screenshot of what I currently have. How do I introduce the Hotspot Portal to this Policy along with CWA?
Thanks in advance
Nadeem Khan
Solved! Go to Solution.
02-27-2017 06:53 AM
Not exactly sure of the needed flow and types of users
Recommended disabling auto registration on the credentialed portal you are using
yes inject a rule between the initial redirect and then the final permission off endpoint group with the following
Create a guest type called VLANCHANGE and use for self-reg
Create an endpoint group VLANCHANGE
if Guest_flow and guest_type VLANCHANGE equals X then redirect to hotspot portal that registers into endpoint group VLAN CHANGE, make sure Hotspot Portal is set to terminate not re-auth (ISE 2.1 patch 1 and higher)
The flow would be like this
1. User redirected to credentialed portal
2. after login, COA takes place and redirected to hotspot portal for device registration
3. After registration COA disconnect is sent
4. device comes back in using endpoint group authorization in new VLAN
02-26-2017 07:18 AM
Hi,
I would like to add a question to the same case - ISE 2.1 Wired Guest Flow VLAN IP Release/Renew Issue.
Java applet for DHCP release/renew does not work with Mozilla browser on Windows 7 and 10, there is a bug about that.
It does not work with Chrome as well.
Active X works with IE, but not with Edge.
Question: Is it possible to modify the Guest portal flow, so that Radius CoA will not send reauth, but port bounce?
How could I configure port bounce in order to get a new IP address in the new VLAN?
Thanks,
Vlad
02-27-2017 06:55 AM
unfortunately the release, renew is not recommended as you can see many issues you run into. please reach out with your account team if you are needing this functionality.
The recommended way to approach would be what I suggested in the answer to this thread.
We also recommend staying away from VLAN change for guests. If you need it try using dot1x for your guest flows
05-19-2017 02:42 PM
02-27-2017 06:53 AM
Not exactly sure of the needed flow and types of users
Recommended disabling auto registration on the credentialed portal you are using
yes inject a rule between the initial redirect and then the final permission off endpoint group with the following
Create a guest type called VLANCHANGE and use for self-reg
Create an endpoint group VLANCHANGE
if Guest_flow and guest_type VLANCHANGE equals X then redirect to hotspot portal that registers into endpoint group VLAN CHANGE, make sure Hotspot Portal is set to terminate not re-auth (ISE 2.1 patch 1 and higher)
The flow would be like this
1. User redirected to credentialed portal
2. after login, COA takes place and redirected to hotspot portal for device registration
3. After registration COA disconnect is sent
4. device comes back in using endpoint group authorization in new VLAN
10-25-2017 03:26 AM
Hi Jason,
One question, does this configuration with CoA disconnect should force the client the request a new IP address after the VLAN change ?
Thanks.
Matteo
10-25-2017 05:07 AM
Yes That’s what I explained above but it depends on your switch behavior, please see @utkarsh post above
10-25-2017 08:23 AM
Matteo,
We have shown and tested change of VLAN functionality using macros and ISE to atleast two customers who seemed quite convinced. Nothing has been put into production yet.
In the PPT posted in the thread you would notice that we are disabling dot1x on the port after a guest connects using macros to avoid the guest session running into a loop.
However recently we found another solution where we can send the VLAN id in the radius request and make an authorization rule on ISE based on Guest VLAN to avoid the loop.
This way we can achieve change of VLAN as well as retain the mab session/ ip phone session on that port.
02-12-2018 12:33 PM
Matteo,
You would have to change CoA response to be port-bounce which will force the client to re-ip in the guest vlan. It is fully sported feature and has been working fine in my labs. If you need more support, please do reach to your account team, they should be able to help you with exact configuration steps.
I would avoid using macros for guest for it is gong to be challenging to force port clean up when accounts expire.
02-14-2018 12:25 AM
Hi Starvoise,
Thank you for your feedback. Please can you share your configuration on the switch side and on the ISE side?
Thanks,
Matteo
05-09-2018 07:17 PM
Which portion of the config from ISE are you interested in?
Switchside is pretty standard closed mode. We cannot have VLAN move and DHCP Guest in Low Impact mode for it introduces catch 22 logic problem: client needs an IP to get to captive portal and since the port is auth open it will always get an IP from the starting VLAN. Of course you can have all end points start in the guest VLAN but I personally would recommend against it.
Here is the switch port config:
Rack01SW05(config)#do sh run inte g 1/0/1
Building configuration...
Current configuration : 570 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport voice vlan 51
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
end
!
Rack01SW05(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide