Wireless 802.1X guest VLAN

Answered Question
Dec 16th, 2009

Hi everybody

is there a way on the wireless controller or the ACS to configure a guest or a failed vlan if the 802.1X authentication was not succesful, like it's possible on the wired infrastructure?

Thanks and regards

I have this problem too.
0 votes
Correct Answer by Peter Nugent about 6 years 11 months ago

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

Correct Answer by Peter Nugent about 6 years 11 months ago

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Correct Answer
Peter Nugent Fri, 12/18/2009 - 13:23

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

Dominic Stalder Sat, 12/19/2009 - 02:50

Hi


thanks for the answer. NAC is actually no solution. I know that it is possible to assign a dynamic VLAN via the ACS, but the problem would be if the authentication fails.

A possible way is to activate the DEFAULT mapping in the external database to a "Guest Group" in the AD, so there would be no failed attempt. But there is a problem if we have different guest vlan's. Or this there a way to differ between wired and wireless clients? The problem is that we have a guest vlan for the wired and a guest vlan for the wireless clients.

Correct Answer
Peter Nugent Sat, 12/19/2009 - 03:07

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

Dominic Stalder Sat, 12/19/2009 - 15:50

My words, seperate SSID's would be the simplest way but the customer is the "decision maker" ;-) But it is an interesting challange, I will also do some tests in the lab in the next few weeks, I will get back to the forum when I have the first results.

Regards and have nice holidays

Dominic

Actions

This Discussion

Related Content

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode