Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic VLAN assignment in low-impact mode ISE1.2

Is anyone doing extensive dynamic VLAN assignment with low-impact mode? If so, how are you getting around the issue of having a client get an IP address on the switchport configured VLAN then not releasing that address once the VLAN changes? I didn't know a way around this other than configuring closed mode...but closed mode is causing me a lot of client issues.

1 REPLY
New Member

Sounds like you may be having

I believe that it is the supplicant's responsibility to determine when there has been a VLAN change on the port and refresh the IP address at that point. This should happen with standard CoA regardless of Open or Closed mode.

Are you experiencing the issue with certain clients/supplicants or supplicantless devices? If so, there are ways to fix that below. 

** Note that I do not believe this works with multiple authentication sessions on a single port--you will have to use re-auth in that case.

Cisco ISE Active RADIUS Sessions

Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:

  • Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.

Understanding RADIUS Change of Authorization

With Cisco IOS Release 12.2(33)SXI4 and later releases, the switch can accept and execute unsolicited Change of Authorization (CoA) messages from the authentication server (AS). CoA is an extension to the RADIUS protocol that allows the AS to make dynamic and unsolicited changes to the authorization information of an active session hosted by a network access device, such as a switch. For more information about CoA, see RFC 5176.

The Catalyst 6500 series switch supports per-session and per-policy CoA commands relating to 802.1X, MAB, and web-based authentication sessions.

Per-Session CoA

Using per-session CoA commands, the AS can cause the switch to terminate a session or to force a reauthentication of the session. To terminate a session, the AS can instruct the switch to perform one of the following actions:

•End the session—The AS sends a CoA Disconnect-Request (see RFC 5176), causing the switch to delete all state information about the session.

•Shut down the port—The AS sends the following VSA to force an administrative shutdown of the port:

Cisco-AVPair="subscriber:command=disable-host-port"

•Bounce the port—The AS sends the following VSA to force the switch link to be taken down, then up again:

Cisco-AVPair="subscriber:command=bounce-host-port"

By default, the switch accepts and executes per-session CoA commands, but you can configure the switch to ignore CoA shutdown or bounce commands directed at specific ports.

The AS sends the following VSA to force a reauthentication of the session:

Cisco-AVPair="subscriber:command=re-authenticate"

 

112
Views
0
Helpful
1
Replies
CreatePlease to create content