Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE change of VLAN for wireless endpoints

Hi,

 

I have configured posture policy on ISE for posture compliant and non compliant end points such that, posture compliant end points will fall in clean VLAN and non compliant will fall in other.

Now, my issue is, even if an end point is posture compliant it is not getting placed in clean VLAN. For getting ip address from clean VLAN, it requires ipconfig /release and ipconfig /renew to be manually done. 

how to resolve the issue..

 

 

regards,

aditya

 

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions

If you assign a VLAN, the

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.
Cisco Employee

Aditya,  At the end of a

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

7 REPLIES

If you assign a VLAN, the

If you assign a VLAN, the final step is for the client PC to renew its IP address. This step is achieved by the guest portal for Windows clients. If you did not set a VLAN for the 2nd AUTH rule earlier, you can skip this step.

If you assigned a VLAN, complete these steps in order to enable IP renewal:

  1. Click Administration, and then click Guest Management.
     
  2. Click Settings.
     
  3. Expand Guest, and then expand Multi-Portal Configuration.
     
  4. Click DefaultGuestPortal or the name of a custom portal you created.
     
  5. Click the VLAN DHCP Release check box.
New Member

Hi,thanks for reply.I made

Hi,

thanks for reply.

I made the changes mentioned, but still end point is not getting ip from clean vlan ; when i check on wlc, end point has been placed in clean VLAN.

I belive that the solution you mentioned is for Guest access; here I want to check posture for employees. 

any other solutions..

 

 

regards,

aditya 

Cisco Employee

Aditya,  At the end of a

Aditya, 

 

At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 

If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 

The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.

That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .

 

Regards,

 

Tony 

 

 

New Member

Thank you guys for your

Thank you guys for your solutions.. I configured ise as per solution and its working..

Now, one more issue.. As per Authorization Policy the EndPoint is checked for Posture Compliant as below

1) EndPoint is tested for Posture Compliant (Temporary Network Access window pops up)

2) EndPoint passes Posture Compliant test

3) EndPoint is given Full Network Access (Full Network Access window pops up)

 The above process continues endlessly and "Temporary Network Access" window and "Full Network Access" window appears again and again on screen even after EndPoint is being placed in clean VLAN( even after successful ip renew). 

is there any solution to stop these message windows from appearing on screen continously..

 

Regards,

Aditya

 

New Member

how do you solved the issue

how do you solved the issue of vlan assignment with wireless users? i´m facing the same problem and i can´t get them to get the new vlan to users.

 

thank you in advance,

 

New Member

Hi, we created and provided

Hi,

 

we created and provided posture agent profile (.cfg) with client provisioning.

Policy->Policy Elements->Client provisioning->Resources

Add new posture agent profile. Make settings as per .jpg file.

after making .cfg attach it in client provisioning as per the second .jpg file.

Hope this solve your issue.

Thanks,

Aditya

 

 

 

New Member

Thank you very much Aditya,

Thank you very much Aditya, now the vlan change is done!

1081
Views
20
Helpful
7
Replies
CreatePlease to create content