Setting up NAC with existing WLC

Unanswered Question
Aug 16th, 2007
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I have an existing wireless network up and running. I want to configure the NAC devices and need some questions answered. I started configuring the cas using in band virtual gateway. If the internal wireless users are on vlan 73 (ssid mapped to vlan 73 interface in the WLC) and I have an auth vlan 74 (i guess I need this for remediation)... do I have to map (change it in the WLC) that internal ssid to vlan 74 to pass through the cas? Then the cas will bridge to vlan 73? I can't find any docs on how to configure in band virtual gateway with WLC. thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 08/22/2007 - 11:01
User Badges:

All guest wireless traffic coming into the controller must go through the CAS before it can go anywhere else. A dynamic interface called guest is created in the controller, and all guest traffic is forwarded through it to the untrusted interface of CAS.


After the guest users are authenticated locally or through an external server (RADIUS, LDAP, Kerberos) by the CAS/CAM, the user traffic is allowed only through the CAS and can reach the outside network. You can also set user timeout sessions, bandwidth, and access control management. " This explains that you should connect your Untrusted interface of NAC <--> Switch <--> WLC.


If you want to place your users into separate VLANs you can do so after Authentication with Dynamic VLANs Assignment trough RADIUS

Scott Fella Wed, 08/22/2007 - 11:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

thanks!


Using In Band Virtual Gateway, I figured out that I had to change the dynamic interface to vlan (74) and ip to match the untrusted vlan subnet of the CAS (not routed). Then I created a managed subnet with an ip in vlan 73 which is the trusted side (which was existing for internal wireless). The question I have is the wireless users associate to an ssid which is mapped to vlan 74 (untrusted or auth vlan) where do they get their dhcp from? I have the dynamic interface for the ssid pointing to an internal dhcp, so the wlc will relay this and give them an IP on the vlan 73 subnet?

Actions

This Discussion