09-11-2012 04:46 AM - edited 03-10-2019 07:31 PM
Does a user needs Admin right on his Windows laptop for the Central WebAuth DHCP Renew / Release to work?
Thanks.
Solved! Go to Solution.
09-11-2012 04:46 PM
No , it doesn't need admin rights. What the browser of the laptop/PC needs is ActiveX or Java.
That's why ISE can't trigger DHCP release/renew on most "Android" devices. I had this problem, so what I had to assign a DHCP lease time of 2 minutes in Cisco WLC , which is long enough for guest to authenticate. Then guests have to be patient enough (less than 2 minutes) for DHCP lease to expire .
09-11-2012 06:17 AM
Hi,
This isnt clearly defined in any of the user guides or release notes. However, a CoA event should be triggered when you switch from not compliant to compliant, and that should place you in the right vlan.
I was testing vlan change on a windows machine at one of my client's sites and he was not a local administrator on his machine and it worked just fine. (however I think the coa was taking care of that).
Thanks,
Tarik Admani
*Please rate helpful posts*
09-11-2012 08:21 AM
Thank you Tariq for your prompt reply.
I'm don't understand how CoA fix the problem of the workstation. CoA tells the swtich to assign a new VLAN, but it's not CoA per se that tells the workstation to reset the IP address, since CoA is between ISE and the switch only. It must be ISE then that send a DHCP release / renew command to the workstation. I presume that for a Guest user that is done in the browser by Activex. So maybe the problem is that the web browser is not accepting ActiveX coding? If you have any other information on the DHCP release / renew process wiith CWA, it would be appreciated.
Thank you again for all the great posts you are contributing to this forum.
Catherine
09-11-2012 10:42 AM
Hi,
You are correct in the way CoA works, but in actuality when it forces the dot1x reauthentication all the way down to the client, so if they hit another policy that places the client in the production vlan, then the dhcp packets should be sent on the vlan, since the vlan is set in the authorization packet, then dhcp traffic is forwarded.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-11-2012 04:46 PM
No , it doesn't need admin rights. What the browser of the laptop/PC needs is ActiveX or Java.
That's why ISE can't trigger DHCP release/renew on most "Android" devices. I had this problem, so what I had to assign a DHCP lease time of 2 minutes in Cisco WLC , which is long enough for guest to authenticate. Then guests have to be patient enough (less than 2 minutes) for DHCP lease to expire .
09-12-2012 05:37 AM
Tarik thanks for your explanation of CoA with DHCP.
Eduado, thanks for the suggestion of playing with the DHCP timers. We'll try that.
Regards,
Cath.
01-15-2013 07:39 PM
Eduardo,
To be able to change the vlan according to the user actually need the Advanced license? because so far from what is needed realized posture.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide