Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1546
Views
10
Helpful
3
Replies

ISE GUEST portal for wired Clients without CoA possible solution?

Go to solution
herophil322
Level 1
Level 1

‎04-08-2022 07:10 AM

Hello Cisco Community,

at my company we have a guest portal solution for wired and wireless guests, which is placed inline. So everthing is routed through that appliance. First you have to accept the user agreements, then you can access the internet. Now, we would like to move to the Cisco ISE guest portal, but the problem is that the switche the clients are connected to, do not support CoA. Do you know of any solution or an appliance which can be placed inline, which can do something like a redirection to the ISE?

Has anyone of you implemented a guest portal solution for wired client, with cisco ise without CoA able switches? If yes, how did you implement it?


Hope you get what i meant. Thanks in advance.

Kind regards

Phil

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-12-2022 11:07 AM

My document Does ISE Support My Network Access Device? talks about the use of Authentication VLANs for old switches that can only do VLANs and no RADIUS CoA.

You may need to use SNMP for CoA.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-09-2022 02:56 PM

the problem is that the switche the clients are connected to, do not support CoA.

Do you know of any solution or an appliance which can be placed inline, which can do something like a redirection to the ISE?

-IMO best/easiest option is to upgrade the switch to something that supports CoA.  This way you get the full/desirable workflow for true guest portal design/deployment.

Has anyone of you implemented a guest portal solution for wired client, with cisco ise without CoA able switches? If yes, how did you implement it?

-AFAIK this is not a feasible option since CoA is a main component in this type of solution.  You need the CoA in order to permit access to certain resources post auth.

Go to solution
Arne Bier
VIP
VIP
In response to Mike.Cifelli

‎04-10-2022 09:45 PM

Hi @herophil322 

 

A couple of years back I was working on a customer project involving non-Cisco switches that did not support CoA, nor did they support URL redirection. ISE was involved, and so was a Cisco 3850 switch that acted in some capacity to handle the CoA on behalf of the switch for an ISE Guest Portal solution. I don't recall how this worked, but it was quite a complex workaround.

ISE has a DHCP and DNS server functionality specifically for NAD's that don't handle URL redirection. It's not a commonly used feature in ISE. Perhaps someone in the ISE BU has some details on how this worked (including the "surrogate" CoA part running on a separate switch). 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-12-2022 11:07 AM

My document Does ISE Support My Network Access Device? talks about the use of Authentication VLANs for old switches that can only do VLANs and no RADIUS CoA.

You may need to use SNMP for CoA.

 

0 Helpful
Customers Also Viewed These Support Documents