Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
0
Helpful
4
Replies

Reason for Guest Portal not accomodating CoA port bounce

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-29-2018 11:40 AM

Hi experts ,

We have yet again run into a similar situation where customer wants to implement Change of VLAN for Wired guest but is limited by DHCP IP refresh.

We did showcase the method of using macros described here Solution for Change of VLAN for wired Guests using Smart Port Macros

The customer is looking for an answer as to why ISE cannot give an option of sending CoA port bounce for guest portal as it gives this option for profiling policies ?

Is there a limitation or is this a feature enhancement for later ISE version ?

We are running ISE 2.1.

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-29-2018 11:48 AM

The options you listed are the supported options as of now. Please reach out to the ISE product management team for discussion on feature requests

Would recommend guests use 1 network and everyone else use dot1x to handle other VLANs. Or separate ports for conference rooms or guests

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-29-2018 11:48 AM

The options you listed are the supported options as of now. Please reach out to the ISE product management team for discussion on feature requests

Would recommend guests use 1 network and everyone else use dot1x to handle other VLANs. Or separate ports for conference rooms or guests

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-29-2018 11:57 AM

Hi Jason,

On which ISE version/patch is CoA port bounce supported for guest ?

The customer wants to use the same port in conference for corporate users and wired guests.

Corporate Users land on default corporate vlan and guest users land on guest vlan after self registration.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎01-29-2018 12:09 PM

There is no way to cause a port bounce on credentialed guest portals. Its reauth. As I stated please reach out to product management for feature request.

You can set a port bounce on hotspot (this all depends on switch support as well). Perhaps you can do something fancy with that?

If mab and guestendpoint permit guest access

If mab and guestflow and guest type redirect to hotspot and register as guestendpoint (perhaps special group)

If mab and guestflow and employee permit access to employees

If mab then redirect to guest portal

Guest comes into network

Redirected and Logs into guest portal

Redirected to hotspot portal, accepts and gets port bounce

Permitted access

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎01-29-2018 03:57 PM

Guest flow is broken by port bounce for Cisco NADs, and reason is that a terminate/port bounce clears the session and CWA is based on retention of session ID to take previous CWA username and apply new authz policy.  As Jason pointed out, any flow involving device registration (including Hotspot), can terminate session as it will perform reauth on endpoint ID group, not CWA username.

There are workarounds, but involves treating Cisco switch like a 3rd-paty NAD.

0 Helpful
Customers Also Viewed These Support Documents