Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
6
Helpful
3
Replies

Flexconnect local switching and local authentication with guest portal on the ISE

Go to solution
aleopoldie
Level 3
Level 3

‎08-17-2017 09:41 AM - edited ‎07-05-2021 07:33 AM

Hello,

We would like to adapt an existing guest solution with local switching.

Currently they have a standard guest solution with a guest portal located on an ISE.

Let's assume we have the following:

WLC and ISE are in the central site (let's assume : site A)
Flexconnect AP's on remote sites (let's assume : Site X , Site Y, Site Z)
Site A : Central site

Site X : VLAN 41 / 192.168.41.0/24
Site Y : VLAN 42 / 192.168.42.0/24
Site Z : VLAN 43 / 192.168.43.0/24

The goal would be :

1) The user connects and get into a common VLAN which is the same on every local site (Exemple : VLAN 40) so that he can communicate with the guest portal on the port 8443 and be redirected to that portal. He should get an IP on the subnet 192.168.40.0/24.

2) When the user authenticates him self with a username/password, depending on the user's location, the ISE will push a new VLAN (Exemple : VLAN 41 for Site X / VLAN 42 for site Y / VLAN 43 for site Z)

The problem is that the user has to manually make a DHCP release/renew, and we don't want that to happen.

Is it possible ? Or how would you do it ?

A.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
biaacer2
Cisco Employee
Cisco Employee

‎08-24-2017 05:50 PM

I would not do this on a different VLAN, that's why you use the redirect ACL, to block all traffic except DNS and CWA process with RADIUS. 

 

If you still want to change VLANs and not have to run "ipconfig /renew", try by enabling "VLAN DHCP Release".  

 

Here's a picture on how to do this from ISE 2.2 (Work Centers ->Portals and Components -> Choose your Portal {Self, Hotspot or Sponsored}->VLAN DHCP Release Page Settings -> Mark the checkbox)Screen Shot 2017-08-24 at 7.48.03 PM.jpg

View solution in original post

3 Replies 3

Go to solution
aleopoldie
Level 3
Level 3

‎08-24-2017 07:24 AM

Or is it better to use 1 VLAN the pre-authentication phase and the same VLAN for the post-authentication ?

0 Helpful

Go to solution
biaacer2
Cisco Employee
Cisco Employee

‎08-24-2017 05:50 PM

I would not do this on a different VLAN, that's why you use the redirect ACL, to block all traffic except DNS and CWA process with RADIUS. 

 

If you still want to change VLANs and not have to run "ipconfig /renew", try by enabling "VLAN DHCP Release".  

 

Here's a picture on how to do this from ISE 2.2 (Work Centers ->Portals and Components -> Choose your Portal {Self, Hotspot or Sponsored}->VLAN DHCP Release Page Settings -> Mark the checkbox)Screen Shot 2017-08-24 at 7.48.03 PM.jpg

Go to solution
aleopoldie
Level 3
Level 3
In response to biaacer2

‎08-25-2017 02:40 PM

Hello Biaacer2,

 

Thanks for your reply. I'll go for 1 VLAN then.

 

BR,

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card