cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
2
Replies

ip admission and vlan-ID

computerone1
Level 1
Level 1

Hi!

I'm a newcommer to ip admission/webauth, and run into an issue with the Following web-auth/RADIUS/VLan-ID scenario:

 

1) the user port is in vlan x

2) the user gets an IP address using DHCP

3) the user performs web-auth over RADIUS

4) the user is placed in vlan y, as per the RADIUS ACCESS-ACCEPT paquet instructions

 

Two problems arise:

a) The user needs to manually perform a DHCP release/renew, so to get get its IP address in the new y vlan/subnet

b) Even with a good IP, the http auth-proxy seems to get confused. A clear ip admission cache/re-auth seems necessary for TCP80 to get functionning.

 

Is the only functionning scenario with webauth when the user is by default placed in a guest vlan (with no further RADIUS vlan ID change) ? Can webauth be used with RADIUS vlanID?

Thanks for any input!!

 

 

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Yes, what you noted is correct. If using closed mode, you can assign guest VLAN pre & post guest authentication, which I noted here: https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1701731432

 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Hi there

 

I think this question has come up a few times in the past.  In general it's easy to set the VLAN to whatever you like and as often as you like, but of course the poor client is the one that might get confused as a result of that. I also believe that as a general rule one tries to avoid changing VLANs once the client has obtained an IP address.  The access is controlled via ACLs which can be applied as needed (and these ACLs take effect as soon as the NAD receives them).

 

There may be other ways of doing it - but chances are there is one client that doesn't play ball and breaks the whole design. If it's a wired deployment then strictly speaking a link down event should signal to the attached OS to perform a DHCP again when the link comes up.  So theoretically this should work.  In wireless world there is no link down/up even to the OS.

howon
Cisco Employee
Cisco Employee

Yes, what you noted is correct. If using closed mode, you can assign guest VLAN pre & post guest authentication, which I noted here: https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1701731432

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: