We are using ISE for wireless corporate and guest access for some time with no problems. Now we are planning to expand access control to wired LAN. We plan to use web authentication with dynamic vlan assignment to both visitors and contractors. In our testing we have some problems with IP address renewing, since some browsers restrict java and others doesn´t support it at all. Anyone implemented a wired solution for Guest/Contractor access using ISE? Using dynamic vlan assignment for guests is a viable scenario?
If I may ask, Are you using Posture assessment for Guest/Contractors during Authorization (Via NAC Web-Agent for example)
The reason I'm asking this is that you may push NAC posture Profile which should have this option enabled "Enable agent IP refresh" so it would refresh the IP address of the Endpoint once they are deemed complaint.
Attached screen shot for that under Client provisioning --> Resources in Cisco ISE 1.4
I have Implemented Guest/Contractors Access for one of my customers but they are using dACLS as an enforcement
I have tested with myself using VLAN Change but I'm always using static IP addresses. and as Cofig T have stated you have to live with Endpoint issues of not changing IP addresses.