There's really no way around

Juliano Luz · ‎04-28-2017

We are using ISE for wireless corporate and guest access for some time with no problems. Now we are planning to expand access control to wired LAN. We plan to use web authentication with dynamic vlan assignment to both visitors and contractors. In our testing we have some problems with IP address renewing, since some browsers restrict java and others doesn´t support it at all. Anyone implemented a wired solution for Guest/Contractor access using ISE? Using dynamic vlan assignment for guests is a viable scenario?

Config T · ‎05-01-2017

There's really no way around it. If you want dynamic VLAN assignment to endpoints you're going to have to live with IP renewal issues from time to time.

If possible, avoid the dynamic VLAN assignment and instead do security another way like dACL or SGT.

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎05-02-2017

If I may ask, Are you using Posture assessment for Guest/Contractors during Authorization (Via NAC Web-Agent for example)

The reason I'm asking this is that you may push NAC posture Profile which should have this option enabled "Enable agent IP refresh" so it would refresh the IP address of the Endpoint once they are deemed complaint.

Attached screen shot for that under Client provisioning --> Resources in Cisco ISE 1.4

I have Implemented Guest/Contractors Access for one of my customers but they are using dACLS as an enforcement

.

I have tested with myself using VLAN Change but I'm always using static IP addresses. and as Cofig T have stated you have to live with Endpoint issues of not changing IP addresses.

ISE Guest and contractor dynamic vlan assignment