So what you are asking is if it’s possible to switch vlans after authentication? Sounds like the customer wants the default VLAN to be the guest VLAN. Is that the goal here? The desired functionality isn’t clear to me yet.
Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.
I am quoting the Meraki documentation from the URL I mentioned in my opening post.
Now Meraki have sold me the dream ... and they mention ISE is a Radius server (see below).
But they fail to explain how ISE is supposed to achieve this. That is what I want to know.
How does one marry up the statement above (changing VLAN when auth is 802.1X, and CoA using ISE)
More Meraki goodness ...
If George is correct on the intend, then it does not require CoA at all. VLAN will be a set of tagged attributes included in the matched authorization profile.
ISE profiling has a global CoA Type at [Administration > System > Settings > Profiling] and default to No CoA. And, individual profile policies may override for CoA. If it set to perform CoA and if ISE detects a profiling event that would result in a different authorization policy rule, then ISE will trigger a CoA.
Yes, of course ISE supports RADIUS CoA. However, CoA does not happen in a RADIUS Authorization. CoA is initiated by the RADIUS server (ISE) asynchronously outside of the authentication request/response based on some other event (administrator, threat, API, etc.).
You may be asking if Meraki support RADIUS CoA. According to How To: Integrate Meraki Networks with ISE , they do.
A single 8-second timeout is incredibly short for 802.1X as you have found. We suggest 10 seconds x 3 retries as best practice as recommended in How To: Universal IOS Switch Config for ISE, Step 17.
Even if the authentication fell through to a MAB with Guest default, a good desktop supplicant would initiate an EAPoL-Start when the user enters their 802.1X credentials when not in response to an 802.1X EAP challenge which would then trigger the switch to do a RADIUS re-authentication.
If for some reason that is not working, you could potentially try doing a short RADIUS Attribute 27 (Session-Timeout) and 29 (Terminate-Action) to cause a re-authentication for Guest. Keep in mind that this could greatly increase the load on ISE for endpoints stuck in this state.