Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Assign IP address to guest users in the switch by ISE

There is a situation that I need assign ip address to guest users in the switch by ISE. Is this possible? If yes, How Can I do this?

Thanks.

9 REPLIES
Silver

Assign IP address to guest users in the switch by ISE

Why?

New Member

Assign IP address to guest users in the switch by ISE

Hello Peter.

My customer does not have wireless network and he did not want to work with DVLAN because the problem with renew ip address when occur the change of the VLAN. He will go to work with DACL in authorization profile.

The problem occurs with users guest, as they will be in the same network as corporate users, so there is no way to create a specific rule allowing access to the internet in the firewall ASA for guest users only.

As my customer receives few guests if I could assign IP address via ISE for guest users maybe I could use DVLAN for this specific case.

The customer does not want to use supplicant anyconnect.

Best Regards

Ricardo.

Silver

Assign IP address to guest users in the switch by ISE

Create a dACL on ISE that prevents guests from accessing the company network but allows them to use the Internet.

New Member

Assign IP address to guest users in the switch by ISE

I had suggested this to my customer but he did not want to leave the output open Internet to the corporate network in the firewall. I explained to him that the firewall rules that control the output of the Internet to the corporate network could be applied via DACL and so could leave the output released in firewall for internet for the whole corporate network.

Silver

Assign IP address to guest users in the switch by ISE

I like Link2 and I've searched for the Vlan Dhcp Release option in the user guide:

      An applet downloads to perform the IP release renew operation.

Silver

Assign IP address to guest users in the switch by ISE

Hello,

Please go through the below information which might be helpful to you:-

If you assign a VLAN, the final step is for the  client PC to renew its IP address. This step is achieved by the guest  portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
  2. Click Settings.
  3. Expand Guest, and then expand Multi-Portal Configuration.
  4. Click DefaultGuestPortal or the name of a custom portal you may have created.
  5. Click the Vlan DHCP Releasecheck box.Note: This option works only for Windows clients.

and for more information on Vlan DHCP release:-

VLAN DHCP IP Release/Renew

This affects the CWA user login flow when the network access during the  final authorization switches the guest VLAN to a new VLAN. In this case,  the old IP of the guest needs to be released before the VLAN change and  a new guest IP needs to be requested through DHCP once the new VLAN  access is in place. The Cisco ISE server redirects the guest browser to  download an applet to perform the IP release renew operation.

The delay to release time should be low since it needs to occur  immediately after the applet is downloaded and before the Cisco ISE  server directs the NAD to re-authenticate with a CoA request. The  default release value is 1 second.

The delay to CoA delays the Cisco ISE from executing the CoA. Here,  enough time should be given to allow the applet to download and perform  the IP release on the client. The default value is 8 seconds.

The delay to renew value is added to the IP release value and does not  begin timing until the control is downloaded. The renew should be given  enough time so that the CoA is allowed to process and the new VLAN  access granted. The default value is 12 seconds.

New Member

Assign IP address to guest users in the switch by ISE

No I hope there is no such kind of possibility, only Vlan DHCP can be used and it’s a normal practice.

The best practice is to use ACL’s for the implementation.

New Member

Assign IP address to guest users in the switch by ISE

Are you using 1.2?

I've not tried this yet, but the way I understood it, 1.2 allowed the CoA action to be changed based on profile policy, so you could use dynamic VLAN and choose to 'port bounce' for the guest users. The port bounce should be enough to allow DHCP to renew with new IP.

If this is not possible yet, then it should be :-)

I'll have a look and see if that was actually added as an option. I may have dreamt it.

1304
Views
5
Helpful
9
Replies
CreatePlease to create content