Solved: ISE Guest User get different vlans

azhar_eaggle1 · ‎12-11-2018

can 2 groups of Guest users have/gets 2 different vlan on Same SSID ?

we will have executive Guest with Internal Username/password on ISE and wants to have Vlan X,

while other Guest with Sponsor Access will get Vlan Y.

is that Possible ? if yes, how

Surendra · ‎12-12-2018

Yes you can. Here is a similar discussion.

https://community.cisco.com/t5/other-wireless-mobility-subjects/single-ssid-with-multiple-vlans/td-p/1496917

View solution in original post

Jason Kunst · ‎12-12-2018

Assuming this is for wireless? If wired there is already a posting for that

Recommend looking over the prescriptive guest guide under http://cs.co/ise-guest for more information

Although it can be done it’s not recommended for an open network since there is no supplicant to switch networks. The machine wouldn’t know if the user switched vlans

If you have guest users with different guest types then they can be authorized differently . These would need to be sponsored guests otherwise there is no easy way to give them different guest types (separate discussion)

All users connect to guest network on same vlan
Userx connects to guest portal and logs in as guest typeX
authorization rule redirects to a hotspot portalX And puts device into endpoint group X
Device is disconnected and now authorized by endpoint groupX with different vlan assignment

Instead of doing reassignment on endpoint groups you could set a low DHCP timer on your initial vlan and not use endpoint groups
But this is a clunky mechanism. After user logs in there might be delay where they don’t have access for a time. Initial login 30 seconds later dhcp tuner after they login switching vlan

Another way to do this is to have users use dot1x so supplicant takes care of vlan changes

Recommendation is to use segmentation with SGTs more info in guest guide

View solution in original post

Surendra · ‎12-12-2018

Yes you can. Here is a similar discussion.

https://community.cisco.com/t5/other-wireless-mobility-subjects/single-ssid-with-multiple-vlans/td-p/1496917

Jason Kunst · ‎12-12-2018

Assuming this is for wireless? If wired there is already a posting for that

Recommend looking over the prescriptive guest guide under http://cs.co/ise-guest for more information

Although it can be done it’s not recommended for an open network since there is no supplicant to switch networks. The machine wouldn’t know if the user switched vlans

If you have guest users with different guest types then they can be authorized differently . These would need to be sponsored guests otherwise there is no easy way to give them different guest types (separate discussion)

All users connect to guest network on same vlan
Userx connects to guest portal and logs in as guest typeX
authorization rule redirects to a hotspot portalX And puts device into endpoint group X
Device is disconnected and now authorized by endpoint groupX with different vlan assignment

Instead of doing reassignment on endpoint groups you could set a low DHCP timer on your initial vlan and not use endpoint groups
But this is a clunky mechanism. After user logs in there might be delay where they don’t have access for a time. Initial login 30 seconds later dhcp tuner after they login switching vlan

Another way to do this is to have users use dot1x so supplicant takes care of vlan changes

Recommendation is to use segmentation with SGTs more info in guest guide

azhar_eaggle1 · ‎12-12-2018

Yes, this is for Wireless. on one SSID. we have different guest groups, and wants to assign them different Vlans.

Jason Kunst · ‎12-12-2018

Ok my guidance stands