In this document Cisco TAC engineer "Debashree Jena" has explained about Issue faced with Central Web authentication(CWA) - ISE setup with single vlan used for pre-CoA and post-CoA
Whenever CWA configuration is done with ISE setup on WLC, we face 2 scenarios:
1. Different vlan used pre-COA and post-COA
2. Same Vlan used
Certain Client trypes like Windows 7 and MAC OS device gets stuck at DHCP_Req post-CoA
Cause / Problem Description
When the WLC gets a CoA (Change of Authorization) RADIUS message from ISE, the WLC will send a Deauth to the client, and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected, unless it performs a new DHCP request.
Unfortunately, some clients (Mac OS X and Windows 7) are seen sometimes not to re-DHCP after the Deauth. Such clients will then fail to regain network connectivity at CoA and will be disconnected by the WLC after the DHCP timeout.
This issue happens only when single vlan is used.
Conditions / Environment
Clients specifically on Windows 7 and MAC OS client
We can enable an optimization: do not Deauth the client, and do not move it to DHCP_REQ. Just allow it to keep using the same 802.11 association and DHCP lease as it had been. (In the case where the client is switching VLANs at CoA, there is a good reason to send it a deauth - in order [hopefully] to trigger it to re-DHCP - but there is no point in performing the Deauth/re-DHCP when the client is not switching VLANs ... it can just keep using the same DHCP address.)
When the Cisco WLC gets a CoA (Change of Authorization) RADIUS message, for example from ISE, the Cisco WLC sends a deauthentication to the client and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected unless it performs a new DHCP request. With "debug client" in effect on the Cisco WLC, the following message will be seen:
DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
Cisco WLC is using CoA from RADIUS and has DHCP Required on the WLAN. Client is one that does not reliably re-DHCP upon 802.11 deauthentication; some Windows 7 and Mac OS X systems have been seen to have this problem.
For a single VLAN system (same VLAN before and after CoA), disable DHCP Required. For some client types, you might be able to reconfigure them to make sure that they re-DHCP as needed. For example, on a Windows 7 system, perform the following:
1. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces registry path, create a DWORD value named as ?UseNetworkHint? and set it to ?0?.
2. Restart the DHCP client service by executing the following commands from elevated command prompt:
net stop dhcp
net start dhcp
An alternative might be to use two VLANs, one a pre-CoA and the other a post-CoA. The DHCP leases for the pre-CoA scope might be set with very short lease durations such as 30 seconds. This should trigger a more timely DHCP lease renewal from the client so that it can regain access to the network after the CoA event.
Hi, need help to understand what my problem is? Airplay situation is as follows:Wireless to wireless devices - working fineWireless to wired devices - working fineWired to wired devices - working fineWired to wirelss - NOT workingAny advise on what seems ...
I would like to get some clarification regarding the user idle timeout WLAN configuration checkbox. I read on here that if you don't configure a idle time-out value within the WLAN the global system parameter will be used instead (which is 300 ...
Hi team,I pulled report from NCS for AP utilization, it gives multiple instance for same AP in AP Client statistics summary. ANy specific reason why its giving multiple instance. We are fine if its give two, becaus eof readio but single AP gives for insta...
Hello for everybody. There is a network of 5 remote sites and a central data center. We plan to implement the following wifi scheme - there are two wlc 3504 (high availability - one active and one standby ) in the central dc, to which all ap 2800 ser...
Hi Friends I have more Cisco Ap(Air-Cap-2702 E-E-K9 int my company everthing is ok but i have 2 problem1) When some user connect to specialy one AP these users after 2-3 minute disconnect from wifi what is reason? 2.4Ghz and 5GHZ is active . i ...