Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
1
Replies

Dynamic VLAN assignment in low-impact mode ISE1.2

Josh Morris
Level 3
Level 3

‎09-23-2014 08:15 AM - edited ‎03-10-2019 10:03 PM

Is anyone doing extensive dynamic VLAN assignment with low-impact mode? If so, how are you getting around the issue of having a client get an IP address on the switchport configured VLAN then not releasing that address once the VLAN changes? I didn't know a way around this other than configuring closed mode...but closed mode is causing me a lot of client issues.

Labels:
0 Helpful
1 Reply 1

jordanburnett
Level 4
Level 4

‎09-23-2014 09:36 AM

I believe that it is the supplicant's responsibility to determine when there has been a VLAN change on the port and refresh the IP address at that point. This should happen with standard CoA regardless of Open or Closed mode.

Are you experiencing the issue with certain clients/supplicants or supplicantless devices? If so, there are ways to fix that below. 

** Note that I do not believe this works with multiple authentication sessions on a single port--you will have to use re-auth in that case.

Cisco ISE Active RADIUS Sessions

Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:

  • Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.

Understanding RADIUS Change of Authorization

With Cisco IOS Release 12.2(33)SXI4 and later releases, the switch can accept and execute unsolicited Change of Authorization (CoA) messages from the authentication server (AS). CoA is an extension to the RADIUS protocol that allows the AS to make dynamic and unsolicited changes to the authorization information of an active session hosted by a network access device, such as a switch. For more information about CoA, see RFC 5176.

The Catalyst 6500 series switch supports per-session and per-policy CoA commands relating to 802.1X, MAB, and web-based authentication sessions.

Per-Session CoA

Using per-session CoA commands, the AS can cause the switch to terminate a session or to force a reauthentication of the session. To terminate a session, the AS can instruct the switch to perform one of the following actions:

•End the session—The AS sends a CoA Disconnect-Request (see RFC 5176), causing the switch to delete all state information about the session.

•Shut down the port—The AS sends the following VSA to force an administrative shutdown of the port:

Cisco-AVPair="subscriber:command=disable-host-port"

•Bounce the port—The AS sends the following VSA to force the switch link to be taken down, then up again:

Cisco-AVPair="subscriber:command=bounce-host-port"

By default, the switch accepts and executes per-session CoA commands, but you can configure the switch to ignore CoA shutdown or bounce commands directed at specific ports.

The AS sends the following VSA to force a reauthentication of the session:

Cisco-AVPair="subscriber:command=re-authenticate"

 

0 Helpful
Customers Also Viewed These Support Documents