Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2013
Views
15
Helpful
2
Replies

ISE Guest Flow / Vlan Change after Authentication

awatson20
Level 4
Level 4

‎03-19-2021 08:05 AM - edited ‎03-19-2021 08:13 AM

We have a traditional guest flow that redirects clients to a guest portal page in ISE, and after authentication, they are associated with an SSID configured for that WLAN on the WLC.  Is is possible to place specific clients based on the NAD(WLC) on a different vlan after authenticating?  We would not want this to apply to all guest clients, just clients that are connected to certain WLC's.  The vlan would be different for each WLC/site we would want to perform this at.  So, different WLC and VLAN.  How can this be easily achieved without extensive change to the authorization rule set in ISE?

2 Replies 2

Marcelo Morais
VIP
VIP

‎03-19-2021 08:42 AM

Hi @awatson20 ,

 please take a look at: ISE Self Registered Guest Portal Configuration Example.

"... There is a similar configuration for Accounting. It is also advised to configure the WLC to send SSID in the Called Station ID attribute, which allows the ISE to configure flexible rules based on SSID..."

 

Hope this helps !!!

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-20-2021 12:59 PM

awatson20, the sequence of events is not exactly what you described.

  1. A guest SSID/WLAN is configured for open/PSK but with MAC filtering to check against ISE and ISE has policies to redirect the endpoints to an ISE guest portal and to grant more access after guest logins.
  2. An endpoint associates with the guest SSID/WLAN
  3. The user gets presented with the ISE guest portal, signs in, accept AUP, etc.
  4. ISE triggers authorize-only CoA and WLC performs another auth against ISE and grant more access to the endpoint.

Thus, the endpoint does not move the SSID/WLAN after sign-in. Please note that each SSID/WLAN has a default VLAN, which can be different from WLC to WLC and this default VLAN is what the endpoints get unless overridden by ISE. Although it possible to have different subnets before and after the guest sign-in, it's not recommended before the endpoint is unlikely to automatically refresh its IP address and get a new assignment from the new subnet. If you have to do so, then consider to have either a short DHCP lease/refresh interval or the same IP subnet in pre-auth and post-auth VLANs.

 

Customers Also Viewed These Support Documents