Lab Minutes Forum

Technical Discussion => Security => Topic started by: spark_rod on July 18, 2014, 06:50:45 PM

Title: vlan dhcp release not working
Post by: spark_rod on July 18, 2014, 06:50:45 PM

Hi, after we solved the web redirect issue which discuss on the previous trend here goes the new issue. The vlan dhcp release not working. My setup is when user connected they will be connected to the guest vlan, if user authenticate as staff which credentials is in AD the user will get new set of IP under the staff vlan. it gets the authorization policy from ISE and assigned the right vlan for staff (vlan48) but the IP did not change after the ip renewal finished, still in vlan64 (guest).

DV-CASW-4-1(config-if)#do sh auth sess int g5/36
            Interface:  GigabitEthernet5/36
          MAC Address:  3c97.0eaf.a8e4
           IP Address:  172.27.64.106 <------------did not change
            User-Name:  nw_sf_test
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  148 <------------------- correct vlan should be in (172.27.148.x/24)
           Vlan Group:  SIT_STAFF_LAN
     URL Redirect ACL:  ACL_REDIRECT
         URL Redirect:  https://xxxx.xxxx.xxx:8443/guestportal/gateway?sessionId=AC1B180800000F8F419020EC&portal=SIT_Staff_Portal&action=cwa
              ACS ACL:  xACSACLx-IP-SIT-ISE-ONLY-53c7bea2
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC1B180800000F8F419020EC
      Acct Session ID:  0x00001082
               Handle:  0xE4000F90

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

Title: Re: vlan dhcp release not working
Post by: spark_rod on July 19, 2014, 01:00:58 PM

Hi All to has the same issue with me, just to inform everybody that my problem was resolved. Just to share if anyone encounters this issue, there is a bug on the switch which cause the CoA to fail. After the successful CoA the redirect-url and acl redirect are not cleared. The workaround is to create a permit access on the authorization profile. This is the bug ID for reference. CSCue62019.
Thanks.

Title: Re: vlan dhcp release not working
Post by: MC on July 20, 2014, 04:52:11 PM

Hi spark_rod, Just so I understand this correctly. You use web-auth for staff as well and not 802.1X correct? Can you elaborate on the "permit access on the authorization profile"? What exactly you have on the Authorization profile for successfully Staff authen as a workaround. I would guess you at least have the VLAN48 set to change from guest to staff VLAN.