Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
1
Replies

ISE no Automatic CoA

Go to solution
jtimmer1
Level 1
Level 1

‎09-13-2018 08:07 AM

Hello all,

 

I'm working for an guest portal, and it almost works..

However, when a guest is redirecting to our portal, and they make his own account. after the release/renew of the ip address nothing happened.

 

When i shut the port manually and give it a no shut, the client gets another vlan, and works fine.

I,ve checked a few things with Wireshark,. and i cannot see any radius traffic to the laptop.

 

Please se my ISE/Radius config below:

 

aaa new-model
!
!
aaa group server radius ISE
server name ISE
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
aaa server radius dynamic-author
client 10.23.14.12 server-key 023535492A112C19597D33185D1C27290F103E330E0F1D2536

aaa session-id common
!
ip dhcp snooping vlan 219,319
ip domain-name intra.local
vtp mode transparent
!
dot1x system-auth-control
dot1x critical eapol
!
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
!
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip ssh source-interface Vlan113
ip ssh version 2
!
ip access-list extended REDIRECT
deny udp any any eq domain
deny udp any eq bootpc any eq bootps
deny tcp any host 10.23.14.12 eq 8443
deny tcp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8905
deny tcp any host 10.23.14.12 eq 8909
deny udp any host 10.23.14.12 eq 8909
deny ip any host 10.23.10.10
deny ip any host 10.23.10.11
deny ip any host 10.23.10.12
deny ip any host 10.23.14.12
permit ip any any
ip access-list extended REDIRECT-GUEST
deny ip any host 10.23.14.12
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended permitany
permit ip any any
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 10.23.14.12 auth-port 1812 acct-port 1813
key 7 0210355A2F2727127A1B3C29043B17092A33120031391D3024
!
no vstack
!
line con 0
line vty 5 15
!
!
end

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-13-2018 08:23 AM

This was just answered on the community in last week or two. VLAN change for guest brings up a lot of issues. there Is no supplicant or mechanism to change the IP address. Its not recommended. Would recommend if you need to segment users then use software designed segmentation with SGT instead of vlan change.
https://community.cisco.com/t5/identity-services-engine-ise/wired-guest-vlan-change-release-renew-issue/td-p/3687463

Follow the guest deployment guide to check best practice
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475



View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-13-2018 08:23 AM

This was just answered on the community in last week or two. VLAN change for guest brings up a lot of issues. there Is no supplicant or mechanism to change the IP address. Its not recommended. Would recommend if you need to segment users then use software designed segmentation with SGT instead of vlan change.
https://community.cisco.com/t5/identity-services-engine-ise/wired-guest-vlan-change-release-renew-issue/td-p/3687463

Follow the guest deployment guide to check best practice
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475



0 Helpful
Customers Also Viewed These Support Documents