Clean Access - Guest

Unanswered Question

I am in the process of testing CCA using virtual gateway in-band. I currently have a VLAN 20 on which hosts exist, so have mapped 21->20 with 21 being the untrusted.

On the switchport, the access vlan is set to 21, and dhcp passthrough is working.

I also have a guest VLAN, which is 500. I would like a guest to be able to plug into any port that is set to 21, and have them tagged to VLAN 500 after meeting requirements. Is this possible with virtual gateway in-band?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Wed, 09/26/2007 - 08:53

As the port is set to vlan 21, so you cannot have guests tagged to vlan 500 after checking requirements. However you can setup a user role for each vlan (i.e. 239_allow_all) with the OOB Vlan setup for each. Then setup the mapping on the auth server to check the inital vlan and place the user in the 239_allow_all role. Then set the Port profile to use User Role Vlan instead of Default Access Vlan.


This Discussion