ISE Wired Guest + user without supplicant and dynamic vlan change

jasonsalomons · ‎02-07-2014

Hi All,

I have two issues:

Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?

This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.

I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?

Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).

What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).

Is this possible if the guest doesnt have a supplicant?

jasonsalomons · ‎02-07-2014

One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...

Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

jj27 · ‎02-09-2014

You can create an AuthZ profile that forces reauthentication every two hours. Create an AuthZ rule that matches guest flow and login and point to that AuthZ profile.

The VLAN dhcp renew is actually a java applet that launches. It's buggy, but it works most of the time.