Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1477
Views
0
Helpful
4
Replies

Wired Guest VLAN Change Release/Renew Issue

Go to solution
CONNECT-PS Technical
Level 1
Level 1

‎08-13-2018 01:17 PM

i have installed sponsor guest portal and i applied it for wired user and i want to change vlan after guest registration as i added new vlan in authorization profile and new vlan applied well under interface but guest still keeping old ip address and i have to release it manually from machine and renew manually so he can get new ip address

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to RichardAtkin

‎08-13-2018 02:30 PM

Correct it’s not recommended to change vlan. Instead use SGT and base access off of tagging

Here is another solution

https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614

View solution in original post

0 Helpful
4 Replies 4

Go to solution
RichardAtkin
Level 3
Level 3

‎08-13-2018 01:41 PM

You need to make it bounce the port, otherwise the Client will never know there has been a VLAN change so it will never know it needs to request a new DHCP lease.

 

Personally I prefer to keep Guest stuff as a single VLAN - VLAN changes are often problematic (ie, when a guest connects in the back of a PoE phone, do a port bounce and you kill the phone)

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to RichardAtkin

‎08-13-2018 02:30 PM

Correct it’s not recommended to change vlan. Instead use SGT and base access off of tagging

Here is another solution

https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎08-13-2018 03:06 PM

I have developed a solution similar to the one Jason posted in my lab and it worked perfectly with Auto SmartPorts, but did not work at the customer.  My theory was that my lab switch is a single switch that processed the shut/no shut quick enough so the macro didn't remove itself.  Smart Port macros trigger when a link state changes on the port. 

 

In my customer they had 5-6 switches in a stack and my theory was there was enough of a delay between shut/no shut that Smart Ports caught the link change and removed itself.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-13-2018 02:09 PM

A couple quick notes on this.

If you are trying to use ISE 2.4 to perform this guest vlan change then you may run in to issues. I found that as soon as you check "Enable VLAN DHCP release" with wired guest portal the guest flow no longer works as it should. It is documented in https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj73152
You can authenticate a second time and get access.

Second item, the dhcp release/renew function with ISE leverages java. The only browser this works in anymore is internet explorer. It's essentially a dead feature in my mind, most people I know use chrome, safari or firefox.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents