cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2955
Views
5
Helpful
6
Replies

ISE CWA DHCP renew/release

cpaquet
Level 1
Level 1

Does a user needs Admin right on his Windows laptop for the Central WebAuth DHCP Renew / Release to work?

Thanks.

1 Accepted Solution

Accepted Solutions

No , it doesn't need admin rights. What the browser of the laptop/PC needs is ActiveX or Java.

That's why ISE can't trigger DHCP release/renew on most "Android" devices. I had this problem, so what I had to assign a DHCP lease time of 2 minutes in Cisco WLC  , which is long enough for guest to authenticate. Then guests have to be patient enough (less than 2 minutes) for DHCP lease to expire .

View solution in original post

6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

This isnt clearly defined in any of the user guides or release notes. However, a CoA event should be triggered when you switch from not compliant to compliant, and that should place you in the right vlan.

I was testing vlan change on a windows machine at one of my client's sites and he was not a local administrator on his machine and it worked just fine. (however I think the coa was taking care of that).

Thanks,

Tarik Admani
*Please rate helpful posts*

Thank you Tariq for your prompt reply.

I'm don't understand how CoA fix the problem of the workstation.  CoA tells the swtich to assign a new VLAN, but it's not CoA per se that tells the workstation to reset the IP address, since CoA is between ISE and the switch only.  It must be ISE then that send a DHCP release / renew command to the workstation.  I presume that for a Guest user that is done in the browser by Activex.  So maybe the problem is that the web browser is not accepting ActiveX coding?  If you have any other information on the DHCP release / renew process wiith CWA, it would be appreciated.

Thank you again for all the great posts you are contributing to this forum.

Catherine

Hi,

You are correct in the way CoA works, but in actuality when it forces the dot1x reauthentication all the way down to the client, so if they hit another policy that places the client in the production vlan, then the dhcp packets should be sent on the vlan, since the vlan is set in the authorization packet, then dhcp traffic is forwarded.

Thanks,

Tarik Admani
*Please rate helpful posts*

No , it doesn't need admin rights. What the browser of the laptop/PC needs is ActiveX or Java.

That's why ISE can't trigger DHCP release/renew on most "Android" devices. I had this problem, so what I had to assign a DHCP lease time of 2 minutes in Cisco WLC  , which is long enough for guest to authenticate. Then guests have to be patient enough (less than 2 minutes) for DHCP lease to expire .

Tarik thanks for your explanation of CoA with DHCP.

Eduado, thanks for the suggestion of playing with the DHCP timers.  We'll try that.

Regards,

Cath.

Eduardo,

To be able to change the vlan according to the user actually need the Advanced license? because so far from what is needed realized posture.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: