cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4472
Views
8
Helpful
10
Replies

ISE 2.1 Wired Guest Flow VLAN IP Release/Renew Issue

nadeekha
Level 1
Level 1

Hi Guys,

On a previous post I had a question about Wired Guest Flow scenario that required a VLAN switch and an IP renew on the new VLAN.

Jason Kunst had recommended many solutions to resolve the issue my customer was experiencing.

Now My customer wants to look at applying the below solution for the VLAN switch / DHCP IP renew scenario.

Jason:·"Have the user login with CWA and then Register the endpoints by redirecting to a hotspot portal that will disconnect them after registration and cause a new connection on the new VLAN coming through"

Unfortunately I am not sure exactly how to configure the above flow recommended by Jason. Please see attached screenshot of what I currently have. How do I introduce the Hotspot Portal to this Policy along with CWA?Screen Shot 2017-02-26 at 9.38.40 AM.png

Thanks in advance

Nadeem Khan

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Not exactly sure of the needed flow and types of users

Recommended disabling auto registration on the credentialed portal you are using

yes inject a rule between the initial redirect and then the final permission off endpoint group with the following

Create a guest type called VLANCHANGE and use for self-reg

Create an endpoint  group VLANCHANGE

if Guest_flow and guest_type VLANCHANGE equals X then redirect to hotspot portal that registers into endpoint group VLAN CHANGE, make sure Hotspot Portal is set to terminate not re-auth (ISE 2.1 patch 1 and higher)

The flow would be like this

1. User redirected to credentialed portal

2. after login, COA takes place and redirected to hotspot portal for device registration

3. After registration COA disconnect is sent

4. device comes back in using endpoint group authorization in new VLAN

View solution in original post

10 Replies 10

Hi,

I would like to add a question to the same case - ISE 2.1 Wired Guest Flow VLAN IP Release/Renew Issue.

Java applet for DHCP release/renew does not work with Mozilla browser on Windows 7 and 10, there is a bug about that.

It does not work with Chrome as well.

Active X works with IE, but not with Edge.

Question: Is it possible to modify the Guest portal flow, so that Radius CoA will not send reauth, but port bounce?

How could I configure port bounce in order to get a new IP address in the new VLAN?

Thanks,

Vlad

unfortunately the release, renew is not recommended as you can see many issues you run into. please reach out with your account team if you are needing this functionality.

The recommended way to approach would be what I suggested in the answer to this thread.

We also recommend staying away from VLAN change for guests. If you need it try using dot1x for your guest flows

Jason Kunst
Cisco Employee
Cisco Employee

Not exactly sure of the needed flow and types of users

Recommended disabling auto registration on the credentialed portal you are using

yes inject a rule between the initial redirect and then the final permission off endpoint group with the following

Create a guest type called VLANCHANGE and use for self-reg

Create an endpoint  group VLANCHANGE

if Guest_flow and guest_type VLANCHANGE equals X then redirect to hotspot portal that registers into endpoint group VLAN CHANGE, make sure Hotspot Portal is set to terminate not re-auth (ISE 2.1 patch 1 and higher)

The flow would be like this

1. User redirected to credentialed portal

2. after login, COA takes place and redirected to hotspot portal for device registration

3. After registration COA disconnect is sent

4. device comes back in using endpoint group authorization in new VLAN

Hi Jason,

One question, does this configuration with CoA disconnect should force the client the request a new IP address after the VLAN change ?

Thanks.

Matteo

Yes That’s what I explained above but it depends on your switch behavior, please see @utkarsh post above

Matteo,

We have shown and tested change of VLAN functionality using macros and ISE to atleast two customers who seemed quite convinced. Nothing has been put into production yet.

In the PPT posted in the thread you would notice that we are disabling dot1x on the port after a guest connects using macros to avoid the guest session running into a loop.

However recently we found another solution where we can send the VLAN id in the radius request and make an authorization rule on ISE based on Guest VLAN to avoid the loop.

This way we can achieve change of VLAN as well as retain the mab session/ ip phone session on that port.

Matteo,

You would have to change CoA response to be port-bounce which will force the client to re-ip in the guest vlan. It is fully sported feature and has been working fine in my labs. If you need more support, please do reach to your account team, they should be able to help you with exact configuration steps.

I would avoid using macros for guest for it is gong to be challenging to force port clean up when accounts expire.

Hi Starvoise,

Thank you for your feedback. Please can you share your configuration on the switch side and on the ISE side?

Thanks,

Matteo

Which portion of the config from ISE are you interested in?

Switchside is pretty standard closed mode. We cannot have VLAN move and DHCP Guest in Low Impact mode for it introduces catch 22 logic problem: client needs an IP to get to captive portal and since the port is auth open it will always get an IP from the starting VLAN. Of course you can have all end points start in the guest VLAN but I personally would recommend against it.

Here is the switch port config:

Rack01SW05(config)#do sh run inte g 1/0/1

Building configuration...

Current configuration : 570 bytes

!

interface GigabitEthernet1/0/1

switchport access vlan 50

switchport mode access

switchport nonegotiate

switchport voice vlan 51

authentication control-direction in

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-reauth-req 1

spanning-tree portfast

end

!

Rack01SW05(config)#