Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Issue faced with Central Web authentication(CWA) - ISE setup with single vlan used for pre-CoA and post-CoA

 

 

Introduction

In this document Cisco TAC engineer "Debashree Jena" has explained about Issue faced with Central Web authentication(CWA) - ISE setup with single vlan used for pre-CoA and post-CoA

 

Symptoms

Whenever CWA configuration is done with ISE setup on WLC, we face 2 scenarios:

1. Different vlan used pre-COA and post-COA

2. Same Vlan used

 

Certain Client trypes like Windows 7 and MAC OS device gets stuck at DHCP_Req post-CoA

 

Cause / Problem Description

When the WLC gets a CoA (Change of Authorization) RADIUS message from ISE, the WLC will send a Deauth to the client, and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected, unless it performs a new DHCP request.

 

Unfortunately, some clients (Mac OS X and Windows 7) are seen sometimes not to re-DHCP after the Deauth. Such clients will then fail to regain network connectivity at CoA and will be disconnected by the WLC after the DHCP timeout.

 

This issue happens only when single vlan is used.

 

Conditions / Environment

Clients specifically on Windows 7 and MAC OS client

 

Resolution

We can enable an optimization: do not Deauth the client, and do not move it to DHCP_REQ. Just allow it to keep using the same 802.11 association and DHCP lease as it had been. (In the case where the client is switching VLANs at CoA, there is a good reason to send it a deauth - in order [hopefully] to trigger it to re-DHCP - but there is no point in performing the Deauth/re-DHCP when the client is not switching VLANs ... it can just keep using the same DHCP address.)

 

There is a bug filed for this issue: CSCuj45983

 

 

Untitled.jpg

 

Workaround

1. Disable DHCP required option from WLAN

2. For Windows 7, Need to disable DHCP hint throught htis link:

http://blogs.technet.com/b/teamdhcp/archive/2008/12/19/how-to-configure-dhcp-network-hint.aspx

3: Manually renew the IP address of the client after CoA

4. Use 2 Vlans for the setup to work fine for these clients

 

Release Notes - 7.4.121.0

CSCuj45983

Symptom:

When the Cisco WLC gets a CoA (Change of Authorization) RADIUS message, for example from ISE, the Cisco WLC sends a deauthentication to the client and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected unless it performs a new DHCP request. With "debug client" in effect on the Cisco WLC, the following message will be seen:

DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client

 

Conditions:

Cisco WLC is using CoA from RADIUS and has DHCP Required on the WLAN. Client is one that does not reliably re-DHCP upon 802.11 deauthentication; some Windows 7 and Mac OS X systems have been seen to have this problem.

 

Workaround:

For a single VLAN system (same VLAN before and after CoA), disable DHCP Required. For some client types, you might be able to reconfigure them to make sure that they re-DHCP as needed. For example, on a Windows 7 system, perform the following:

1. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces registry path, create a DWORD value named as ?UseNetworkHint? and set it to ?0?.

2. Restart the DHCP client service by executing the following commands from elevated command prompt:

net stop dhcp

net start dhcp

An alternative might be to use two VLANs, one a pre-CoA and the other a post-CoA. The DHCP leases for the pre-CoA scope might be set with very short lease durations such as 30 seconds. This should trigger a more timely DHCP lease renewal from the client so that it can regain access to the network after the CoA event.

 

 

More Information

Release Notes for Cisco Wireless LAN Controllers 5500 and Lightweight Access Points for Release 7.4.121.0

Don't make a client re-DHCP at CoA if not changing VLANs - CSCuj45983

How to Configure DHCP Network Hint

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 07:04 AM
Updated by:
 
Labels (1)
Contributors