Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
940
Views
5
Helpful
5
Replies

change IP address of wireless guest after CWA with ISE

Go to solution
hisham683
Level 1
Level 1

‎06-22-2021 12:07 AM - edited ‎07-02-2021 09:35 PM

We are using Centralized controllers with flexconnect access points. Requirement came from client that guest users be able put on a VLAN that is not routable internally yet we want them to authenticate against ISE and get a AUP splash page before getting on the guest wireless. We brought up the issue that if the end device cannot reach ISE then we can't get the  splash page and therefore no guest access.

 

The suggestion came that we put the clients on a temporary routable VLAN that can talk the ISE, and then after accepting the policy they can then be put on the guest vlan.

 

After experimenting with this this is where I'm at:

 

  • I can put the guest client on a temporary vlan that can reach ISE and get the splash page.
  • They can accept the policy and get authenticated to the network. But they still keep the IP in the same VLAN. The only way to get on the Guest VLAN after that is to manually turn off wifi and then reconnect.
  • The splash page settings has an option to force the clients to release and renew after they accept but requires a JAVA applet be downloaded that can script that on the clients. Most browsers do not support java and I keep getting the error message that java needs to be turned on in order to proceed.
  • In other threads it was suggested that keep a very short 2 minute lease time on the temporary vlan so that when they renew they can be on the guest vlan. However that didn't seem to work either and they just keep renewing on the same vlan.

 

Appreciate any thoughts on this to make it work. We are using ISE 2.7 and 8540 controllers running 8.5

 

Thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to hisham683

‎06-23-2021 12:00 AM

I haven't tested it myself, but it might be possible. At least on the wire you can instruct the ISE to send a new AAA override with the right VLAN once the client is authenticated.
Alternatively simply write on the login page that the user needs to reconnect to get online.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎06-22-2021 07:50 AM

That should work. I would set the lease expiration even down to 30 seconds. 

Do you see on the WLC that the client actually gets assigned a new VLAN after accepting the splash page?

Does that virtual-interface has the correct IP address and gateway configured for the new VLAN?

0 Helpful

Go to solution
hisham683
Level 1
Level 1
In response to patoberli

‎06-22-2021 08:31 AM

yes I set the lease time to one minute. It just keeps renewing in the same vlan.

I don’t know if the flexconnect setup might be messing it up. In the flex connect group I have the SSID going to the Guest VLAN. But in order to put it in the temporary vlan for authentication there I had to configure AAA override (VLAN ACL mapping in the flex connect group, and in the authorization profile with CWA assign it the temp vlan)

It seems because there is 2 authorization profiles in ISE, one for initial connection and one for the subsequent ones since the mac address is learned. I have to manually reconnect to it hits the secondary authorization first that puts it in the guest vlan.
0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to hisham683

‎06-23-2021 12:00 AM

I haven't tested it myself, but it might be possible. At least on the wire you can instruct the ISE to send a new AAA override with the right VLAN once the client is authenticated.
Alternatively simply write on the login page that the user needs to reconnect to get online.
0 Helpful

Go to solution
hisham683
Level 1
Level 1
In response to patoberli

‎06-23-2021 12:07 AM

Thank you

I actually just tried this now and that worked. The secondary auth policy was just permit access, and the assumption was it would go to the assigned vlan in the flex connect group.

Instead I created a new profile that assigned the guest the vlan and assigned it to the secondary auth policy. That did the trick.

There is still the caveat that when switching vlans, the client doesn’t renew it’s IP right away so setting short lease time on the holding vlan (1 minute) is needed in order for the client to get an IP on the new vlan.

Both guest authorization (CWA and guest access) profiles need AAA override.
0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to hisham683

‎06-23-2021 12:22 AM

Ah perfect. Yeah set the DHCP lease time in the CWA VLAN as short as possible. Luckily this is only needed for the first authentication.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card