ISE Wired Guest VLAN Assignment

de1denta · ‎06-12-2018

Hi All,

I'm looking for some advice on the best method to assign VLAN IDs for wired corporate devices and wired guest devices. As far as I can see, I have two options:

1) Assign the guest VLAN as the native VLAN on all access switchports and let ISE assign the corporate VLAN following successful dot1x authentication. Guest users (using MAB and CWA) will be placed on the native guest VLAN.

2) Assign the corporate VLAN as the native VLAN on all access switchports and let ISE send just an access-accept following successful dot1x authentication. ISE will assign the guest VLAN to guest users (again using MAB/CWA).

I cant really see any pros/cons to either of options. The plan is to also place users on the guest VLAN if ISE is down using the 'authentication event server dead action authorize vlan' command but I dont think this impacts the above?

Thanks all

Rob Ingram · ‎06-12-2018

Hi,

If the guest user authenticates with the CWA they've been assigned an IP address from the native VLAN anyway, in order to access the CWA webpage. So it maybe easier to leave them in the native VLAN. This post covers your scenario, and describes how to force the client machine to renew it's IP address if you've changed it's VLAN.

It depends on your scenario, but creating additional guest VLANS and managing the additional DHCP pools may or may not be an administrative overhead you don't want. You could just send down a DACL to the guest users, although they would be on the same VLAN as corp users. Depending on your switch hardware you could use trustsec, assign a different tag and enforce traffic between corp users and guests in the same VLAN.

starvoise · ‎06-12-2018

Also, should keep in mind any VLAN change to force client to renew IP can be only accomplished in blocking mode or pre-auth ACL blocking DHCP response from server and a macro/EEM to remove it after authorization. It also introduces delay and some users may not like the experience.

I would agree DACL or Trust Sec without VLAN change may be more flexible approach.

de1denta · ‎06-13-2018

Thanks for the suggestions all. I will look further into this and post again if I have any further queries.

shamax_1983 · ‎11-05-2018

Not sure what you ended up choosing.

I have also come across this specific question myself.

Apart from what the other guys mentioned, I also found that if your native VLAN is the Guest VLAN, then you may not be able to properly implement the "Monitor Mode".

In monitor mode, the idea is that, even if the ISE replied with the Access-Reject, the switch will still maintain the original DATA and VOICE vlans for the attached device(s). So you can troubleshoot (looking at the ISE logs) potential issues that could have occurred if you were in the close/low-impact mode, but with the peace of mind that you are not actually causing issues to your staff during this phase. And you don't really care much about Guest in this setup.

But if your Native VLAN is the Guest VLAN, that means during the "Monitor" mode, you are sort of giving more significance to the Guest Users (because in this case, they will be getting the special access as per the port config), and you are "hoping" that ISE will be configured properly (already), to perform the relevant VLAN changes and also Staff PCs are configured with 802.1x correctly.

Not sure if this makes sense :)