Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4956
Views
20
Helpful
7
Replies

ISE change of VLAN for wireless endpoints

Go to solution
adityaM1234
Level 1
Level 1

‎10-30-2014 03:48 AM - edited ‎03-10-2019 10:09 PM

Hi,

 

I have configured posture policy on ISE for posture compliant and non compliant end points such that, posture compliant end points will fall in clean VLAN and non compliant will fall in other.

Now, my issue is, even if an end point is posture compliant it is not getting placed in clean VLAN. For getting ip address from clean VLAN, it requires ipconfig /release and ipconfig /renew to be manually done. 

how to resolve the issue..

 

 

regards,

aditya

 

 

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Saurav Lodh
Level 7
Level 7

‎10-30-2014 05:31 PM

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.

View solution in original post

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee
In response to adityaM1234

‎10-31-2014 05:21 PM

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

View solution in original post

7 Replies 7

Go to solution
Saurav Lodh
Level 7
Level 7

‎10-30-2014 05:31 PM

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.

Go to solution
adityaM1234
Level 1
Level 1
In response to Saurav Lodh

‎10-30-2014 11:38 PM

Hi,

thanks for reply.

I made the changes mentioned, but still end point is not getting ip from clean vlan ; when i check on wlc, end point has been placed in clean VLAN.

I belive that the solution you mentioned is for Guest access; here I want to check posture for employees. 

any other solutions..

 

 

regards,

aditya 

0 Helpful

Go to solution
Antonio Torres
Cisco Employee
Cisco Employee
In response to adityaM1234

‎10-31-2014 05:21 PM

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

Go to solution
adityaM1234
Level 1
Level 1
In response to Antonio Torres

‎11-04-2014 05:34 AM

Thank you guys for your solutions.. I configured ise as per solution and its working..

Now, one more issue.. As per Authorization Policy the EndPoint is checked for Posture Compliant as below

1) EndPoint is tested for Posture Compliant (Temporary Network Access window pops up)

2) EndPoint passes Posture Compliant test

3) EndPoint is given Full Network Access (Full Network Access window pops up)

 The above process continues endlessly and "Temporary Network Access" window and "Full Network Access" window appears again and again on screen even after EndPoint is being placed in clean VLAN( even after successful ip renew). 

is there any solution to stop these message windows from appearing on screen continously..

 

Regards,

Aditya

 

0 Helpful

Go to solution
Federico Hach
Level 1
Level 1
In response to adityaM1234

‎06-18-2015 01:30 PM

how do you solved the issue of vlan assignment with wireless users? i´m facing the same problem and i can´t get them to get the new vlan to users.

 

thank you in advance,

 

0 Helpful

Go to solution
adityaM1234
Level 1
Level 1
In response to Federico Hach

‎06-22-2015 12:54 AM

Hi,

 

we created and provided posture agent profile (.cfg) with client provisioning.

Policy->Policy Elements->Client provisioning->Resources

Add new posture agent profile. Make settings as per .jpg file.

after making .cfg attach it in client provisioning as per the second .jpg file.

Hope this solve your issue.

Thanks,

Aditya

 

 

 

Preview file
62 KB
Preview file
162 KB

Go to solution
Federico Hach
Level 1
Level 1
In response to adityaM1234

‎06-22-2015 08:24 AM

Thank you very much Aditya, now the vlan change is done!

0 Helpful
Customers Also Viewed These Support Documents