Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
6
Helpful
3
Replies

VLAN change CoA

Go to solution
matteodapozzo
Level 5
Level 5

‎11-02-2017 06:24 AM

Hi ISE community,

one of our customers have the following scenario:

  • Wired access where employees and guests can connect
  • Switchports by default on corporate VLAN X
  • CWA for any non-domain PC with self registration portal

Now the customer asked to differentiate Guest traffic based on VLAN (all users authenticated on CWA portal with guest credentials).

I have done some test but basically the problem is that the endpoint does not recognize that the VLAN has changed and the IP is not beign refreshed by the client.

Anyone have any suggestion in order to achieve that ?

The objective is to have something that could differentiate guest traffic like another VLAN for guest traffic, another network ecc. I have tried to see if SGT could be an option but basically the target device (web proxy) do not recognize the TrustSec tag.

Do you think that assign the same network on different VLAN using VRFs could be an option?

Thanks.

M

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to matteodapozzo

‎11-02-2017 07:14 AM

Existing discussions in the community on same

https://communities.cisco.com/thread/81859

https://communities.cisco.com/thread/78818?start=0&tstart=0

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ognyan.totev
Level 5
Level 5

‎11-02-2017 06:46 AM

Hi ,yes you  can use different VRF ,as you know i am sure u can have different VRF for management other for DATA ,other for VOICE , in my deployment i have them and guest VLAN . But i have only wireless guest not wired ,nvm. I think you can creat new Authorization Profiles > New Authorization Profile and tag the VLAN you want for guest

After just add this profile to authorization rule .

You can test this too

Go to solution
matteodapozzo
Level 5
Level 5
In response to ognyan.totev

‎11-02-2017 06:50 AM

Thank you ognyan for your feedback, I appreciate.

I would like to stay away from VLAN DHCP Release option because we don't know if the Guest clients have ActiveX or Java support. Please let me know.


Thanks again for your answer!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to matteodapozzo

‎11-02-2017 07:14 AM

Existing discussions in the community on same

https://communities.cisco.com/thread/81859

https://communities.cisco.com/thread/78818?start=0&tstart=0

0 Helpful
Customers Also Viewed These Support Documents