cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4955
Views
20
Helpful
7
Replies

ISE change of VLAN for wireless endpoints

adityaM1234
Level 1
Level 1

Hi,

 

I have configured posture policy on ISE for posture compliant and non compliant end points such that, posture compliant end points will fall in clean VLAN and non compliant will fall in other.

Now, my issue is, even if an end point is posture compliant it is not getting placed in clean VLAN. For getting ip address from clean VLAN, it requires ipconfig /release and ipconfig /renew to be manually done. 

how to resolve the issue..

 

 

regards,

aditya

 

 

2 Accepted Solutions

Accepted Solutions

Saurav Lodh
Level 7
Level 7

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.

View solution in original post

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

View solution in original post

7 Replies 7

Saurav Lodh
Level 7
Level 7

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.

Hi,

thanks for reply.

I made the changes mentioned, but still end point is not getting ip from clean vlan ; when i check on wlc, end point has been placed in clean VLAN.

I belive that the solution you mentioned is for Guest access; here I want to check posture for employees. 

any other solutions..

 

 

regards,

aditya 

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

Thank you guys for your solutions.. I configured ise as per solution and its working..

Now, one more issue.. As per Authorization Policy the EndPoint is checked for Posture Compliant as below

1) EndPoint is tested for Posture Compliant (Temporary Network Access window pops up)

2) EndPoint passes Posture Compliant test

3) EndPoint is given Full Network Access (Full Network Access window pops up)

 The above process continues endlessly and "Temporary Network Access" window and "Full Network Access" window appears again and again on screen even after EndPoint is being placed in clean VLAN( even after successful ip renew). 

is there any solution to stop these message windows from appearing on screen continously..

 

Regards,

Aditya

 

how do you solved the issue of vlan assignment with wireless users? i´m facing the same problem and i can´t get them to get the new vlan to users.

 

thank you in advance,

 

Hi,

 

we created and provided posture agent profile (.cfg) with client provisioning.

Policy->Policy Elements->Client provisioning->Resources

Add new posture agent profile. Make settings as per .jpg file.

after making .cfg attach it in client provisioning as per the second .jpg file.

Hope this solve your issue.

Thanks,

Aditya

 

 

 

Thank you very much Aditya, now the vlan change is done!