NAC OOB in WLAN and Dynamic VLAN assignments.

Unanswered Question

Hi All,

I have CAS, CAM, ACS and WiSM. CAS configured as OOB Virtual IP. I need to place users in VLANs according to User Groups on Active Directory.

I can configure dynamic VLAN assignment without NAC using WLC->ACS-AD scheme.

But How can I configure dynamic VLAN assignments with NAC?

Please help.

Best Regards,

Dmitry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Mon, 04/12/2010 - 10:08

Dmitri,

Dynamic VLANs or user-role based VLANs aren't supported with OOB and wireless yet. You need to have straight auth/access VLANs defined on your CCA.

HTH,

Faisal

Faisal Sehbai Mon, 04/12/2010 - 10:27

Dmitri,

That particular scenario won't work with Wireless. If your users are wired then yes it would work, but with Wireless OOB, you can't do role-based VLANs with CCA. That functionality isn't available yet.

HTH,

Faisal

Faisal Sehbai Mon, 04/12/2010 - 12:32

Dmitri,

Best practice is to have one SSID per VLAN, but if you want to push multiple VLANs in one SSID, you can do that as long as CCA has a corresponding Access VLAN, and the right managed subnets/VLAN mappings done.

HTH,

Faisal

Faisal,

Problem is that I really can't understand how to configure CAM/CAS for it.

On the WLC we have configure dynamic interface with access VLAN and Quarantine VLAN.

WLC authenticates users using ACS and accounting using CAM.

As I understand WLC authenticates users via ACS, ACS has configured  groups, each  group is mapped to user group on AD and has RADIUS IETF 025 class attribute assigned.

For example,

SSID employees, dynamic interface vlan511,VLAN id 511, Quarantine Vlan id 2511.

On the ACS group 11 is mapped to user group on AD wireless. On ACS group 11 has configured attributes: [14179\005] Aire-Interface-Name - vlan511, [025] Class - WDoffice11

On the ACS group 12 is mapped to user group on AD wireless22. On ACS group 12 has configured attributes: [14179\005] Aire-Interface-Name - vlan512, [025] Class - WDoffice22

On the CAS normal login roles WDoffice11 and WDoffice22 are configured with Out-of-Band User Role VLAN 511 and 512 accordingly. On the ACS in cisco vpn auth server is configured with mapping rules: Role name - WDoffice11, Condition type - attribute, Property Value - WDoffice11;WDoffice12, Condition type - attribute, Property Value - WDoffice12.

WLC authenticates user vie ACS and get information about VLAN from ACS. WLS send this information to CAM and CAM should  said to WLC in which VLAN place the user.

But how to configure CAS for it?

Mapping rules under auth server does not help.

VLAN mapping should help because we have only one quarantine vlan id in dynamic interface under SSID configuration.

Best Regards,

Dmitry

Faisal Sehbai Mon, 04/12/2010 - 22:09

Dmitri,

My apologies. I forgot for a second when I posted my last reply that this is OOB we're talking about. With OOB, in the current codes there is the limitation of having one VLAN mapping only, so you can have a static Auth VLAN being mapped to a static Access VLAN. What you're suggesting would more than likely require the AAA over-ride so the right VLAN could be used for quarantine, but that isn't supported too.

Please check the following link for that:

http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60wlan.html#wp1230721

HTH,

Faisal

Faisal,

In WLC we have multiple dynamic interfaces (VLANs) for various staff. In NAC looks like VLAN mappings are one to one. Means I need to have seperate Quarantine VLAN's for each of the Access VLAN. This is problematic for us. Will there be a change in the behaviour in next code base?

My wireless client is getting IP from Quarantine VLAN. After that when I launch browser I do not get NAC agent but goes straigh to internet. The SVI interface of quarantine VLAN is on router. NAC OOB example tells that Quarantine VLAN should be between WLC and NAC only. In that case there wont be IP for the client. How can client reach NAC?

Thanks for your help,

Prasanna

Actions

This Discussion