04-08-2022 07:10 AM
Hello Cisco Community,
at my company we have a guest portal solution for wired and wireless guests, which is placed inline. So everthing is routed through that appliance. First you have to accept the user agreements, then you can access the internet. Now, we would like to move to the Cisco ISE guest portal, but the problem is that the switche the clients are connected to, do not support CoA. Do you know of any solution or an appliance which can be placed inline, which can do something like a redirection to the ISE?
Has anyone of you implemented a guest portal solution for wired client, with cisco ise without CoA able switches? If yes, how did you implement it?
Hope you get what i meant. Thanks in advance.
Kind regards
Phil
Solved! Go to Solution.
04-12-2022 11:07 AM
My document Does ISE Support My Network Access Device? talks about the use of Authentication VLANs for old switches that can only do VLANs and no RADIUS CoA.
You may need to use SNMP for CoA.
04-09-2022 02:56 PM
the problem is that the switche the clients are connected to, do not support CoA.
Do you know of any solution or an appliance which can be placed inline, which can do something like a redirection to the ISE?
-IMO best/easiest option is to upgrade the switch to something that supports CoA. This way you get the full/desirable workflow for true guest portal design/deployment.
Has anyone of you implemented a guest portal solution for wired client, with cisco ise without CoA able switches? If yes, how did you implement it?
-AFAIK this is not a feasible option since CoA is a main component in this type of solution. You need the CoA in order to permit access to certain resources post auth.
04-10-2022 09:45 PM
Hi @herophil322
A couple of years back I was working on a customer project involving non-Cisco switches that did not support CoA, nor did they support URL redirection. ISE was involved, and so was a Cisco 3850 switch that acted in some capacity to handle the CoA on behalf of the switch for an ISE Guest Portal solution. I don't recall how this worked, but it was quite a complex workaround.
ISE has a DHCP and DNS server functionality specifically for NAD's that don't handle URL redirection. It's not a commonly used feature in ISE. Perhaps someone in the ISE BU has some details on how this worked (including the "surrogate" CoA part running on a separate switch).
04-12-2022 11:07 AM
My document Does ISE Support My Network Access Device? talks about the use of Authentication VLANs for old switches that can only do VLANs and no RADIUS CoA.
You may need to use SNMP for CoA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide