Clean Access - Guest

Unanswered Question

I am in the process of testing CCA using virtual gateway in-band. I currently have a VLAN 20 on which hosts exist, so have mapped 21->20 with 21 being the untrusted.


On the switchport, the access vlan is set to 21, and dhcp passthrough is working.


I also have a guest VLAN, which is 500. I would like a guest to be able to plug into any port that is set to 21, and have them tagged to VLAN 500 after meeting requirements. Is this possible with virtual gateway in-band?


Thanks,

Jeff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Wed, 09/26/2007 - 08:53
User Badges:
  • Silver, 250 points or more

As the port is set to vlan 21, so you cannot have guests tagged to vlan 500 after checking requirements. However you can setup a user role for each vlan (i.e. 239_allow_all) with the OOB Vlan setup for each. Then setup the mapping on the auth server to check the inital vlan and place the user in the 239_allow_all role. Then set the Port profile to use User Role Vlan instead of Default Access Vlan.

I found that with inband, you can retag the traffic egress with something different from what your vlan mapping is configured for. The problem is that the IP address doesn't change without a release/renew.


I'd like to have this work with just one CAS, but it looks like I'll have to get a second for OOB.

Actions

This Discussion