From a security point I can't say that I like guests still to be able to plug in and if the ports are preconfigured for the corporate vlan, then guests being able to sniff off traffic. Currently in my lab I have this setup and rely on the java applet to change the guests PC to the guest vlan which works but isn't great

Whilst I will be changing the default ports to the guest vlan and testing, have people had issues with the change of vlan for the any connect supplicant NAM? I'd love to hear if by default if others have the ports remain in a non corporate vlan?

Sent from Cisco Technical Support iPad App

If you are using "Closed Mode" then only EAPoL (802.1x) traffic is allowed to traverse that port until authenticaiton succeeds. If authentication fails then you can set the port to be dropped into a guest VLAN with Internet access only. You could also setup CWA (Central Web Auth) so if authenticaiton fails then the the user will be redirected to ISE's guest portal for CWA authentication.

I hope this helps

Thank you for rating!

Sorry all, I don't think I'm making myself very clear. Say our corporate users are on vlan 20, and our guests on wired and wireless networks are on vlan 40. With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40. The problem with the last method is, by default the guest connects on the corporate vlan so can actually use wire shark to sniff our corporate traffic on that vlan.
I wanted to know if the change of vlan for corporate users with NAM is reliable? Ie when a corporate user authenticates, the change of vlan for the guest vlan, to the corporate vlan.

Sent from Cisco Technical Support iPad App

We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things like PXE booting that needs to happen.

Sent from Cisco Technical Support iPad App

I will try to answer all of your quesitons:

1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"

          - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab

2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"

          - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.

3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"

          - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

Can some one please provide the actual configuration for this ? I was trying to do the following and for some reason , the IP address is still getting from the corporate  VLAN ( 46 )  rather from the Guest VLAN  ( 54 ) for the guest PCs.

Can some one help me ? Thanks in advance.. 

interface GigabitEthernet4/0/39
description User Port
switchport access vlan 46
switchport mode access
switchport voice vlan 219
authentication event fail action next-method
authentication event no-response action authorize vlan 54
authentication event server dead action reinitialize vlan 46
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust dscp
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 15
no mdix auto
storm-control broadcast level 20.00
spanning-tree portfast
ip dhcp snooping limit rate 50