In this document Cisco TAC engineer "Debashree Jena" has explained about Issue faced with Central Web authentication(CWA) - ISE setup with single vlan used for pre-CoA and post-CoA
Whenever CWA configuration is done with ISE setup on WLC, we face 2 scenarios:
1. Different vlan used pre-COA and post-COA
2. Same Vlan used
Certain Client trypes like Windows 7 and MAC OS device gets stuck at DHCP_Req post-CoA
Cause / Problem Description
When the WLC gets a CoA (Change of Authorization) RADIUS message from ISE, the WLC will send a Deauth to the client, and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected, unless it performs a new DHCP request.
Unfortunately, some clients (Mac OS X and Windows 7) are seen sometimes not to re-DHCP after the Deauth. Such clients will then fail to regain network connectivity at CoA and will be disconnected by the WLC after the DHCP timeout.
This issue happens only when single vlan is used.
Conditions / Environment
Clients specifically on Windows 7 and MAC OS client
We can enable an optimization: do not Deauth the client, and do not move it to DHCP_REQ. Just allow it to keep using the same 802.11 association and DHCP lease as it had been. (In the case where the client is switching VLANs at CoA, there is a good reason to send it a deauth - in order [hopefully] to trigger it to re-DHCP - but there is no point in performing the Deauth/re-DHCP when the client is not switching VLANs ... it can just keep using the same DHCP address.)
When the Cisco WLC gets a CoA (Change of Authorization) RADIUS message, for example from ISE, the Cisco WLC sends a deauthentication to the client and move the client to DHCP_REQ state. Unless "DHCP Required" is disabled on the WLAN, this means that the client will then be disconnected unless it performs a new DHCP request. With "debug client" in effect on the Cisco WLC, the following message will be seen:
DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
Cisco WLC is using CoA from RADIUS and has DHCP Required on the WLAN. Client is one that does not reliably re-DHCP upon 802.11 deauthentication; some Windows 7 and Mac OS X systems have been seen to have this problem.
For a single VLAN system (same VLAN before and after CoA), disable DHCP Required. For some client types, you might be able to reconfigure them to make sure that they re-DHCP as needed. For example, on a Windows 7 system, perform the following:
1. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces registry path, create a DWORD value named as ?UseNetworkHint? and set it to ?0?.
2. Restart the DHCP client service by executing the following commands from elevated command prompt:
net stop dhcp
net start dhcp
An alternative might be to use two VLANs, one a pre-CoA and the other a post-CoA. The DHCP leases for the pre-CoA scope might be set with very short lease durations such as 30 seconds. This should trigger a more timely DHCP lease renewal from the client so that it can regain access to the network after the CoA event.