ISE Guest Portal no working COA with IPhones.

Stefan Sawluk · ‎11-30-2020

Hello,

i have a problem with our ISE 2.7 distributed deployment and the COA after a Guest with a IPhone succuesfully registers. We use a Self-registration with approval process and Single SSID.

After the Client succesfully registers he gets a guest VLAN assigend.

Since we updated to version 2.7 it did not work for IOS Devices. For Android devices it still works.

The strange thing is, that the Wifi Controller receives a COA message, but the IOS device will not renew the address.

Does anybody also have this problem?

We use version 8.5.141 from the 5520 Wifo controller.

Arne Bier · ‎01-05-2021

Why are you switching VLANs on a guest network? It's generally not done because clients might have a hard time, especially since the WLAN authentication is Open - which means that the client gets a L3 address no matter what - the WLC will ensure that the client is either in "URL redirection mode" or in "RUN mode" - but in both cases, just use the same VLAN that assigned the IP address to the client from the very beginning - scope the IP subnet large enough and create short DHCP lease times. The NAC (ISE) then flips the WLC session into captive portal (restrict client access to use only DNS and ISE Portal via WLC ACLs), or when authenticated, then flip the client to "RUN" mode by relaxing the ACL (block RFC 1918 and allow the rest).

Just out of curiosity, you say that the WLC receives the CoA - have you seen the tcpdump on ISE to see the CoA go to WLC, and then also see the CoA ACK from the WLC? If you don't see the CoA ACK then perhaps something went wrong on the WLC, or something else.