Faisal,

thanks for your answer.

I need to assign users to several VLANs in one SSID.Users should be authenticated by AD.

How can I configure it on CAM? Should I configure users authentication on CAM via AD and use User Roles for assigning of VLAN id to appropriate user group?

Best Regards,

Dmitry

Dmitri,

That particular scenario won't work with Wireless. If your users are wired then yes it would work, but with Wireless OOB, you can't do role-based VLANs with CCA. That functionality isn't available yet.

HTH,

Faisal

Faisal,

Is it possible to have several VLANs in one SSID and use NAC for admisson control of these VLANs?

Or I should have only one VLAN in SSID if I use NAC?

Best Regards,

Dmitry

Dmitri,

Best practice is to have one SSID per VLAN, but if you want to push multiple VLANs in one SSID, you can do that as long as CCA has a corresponding Access VLAN, and the right managed subnets/VLAN mappings done.

HTH,

Faisal

Faisal,

Problem is that I really can't understand how to configure CAM/CAS for it.

On the WLC we have configure dynamic interface with access VLAN and Quarantine VLAN.

WLC authenticates users using ACS and accounting using CAM.

As I understand WLC authenticates users via ACS, ACS has configured  groups, each  group is mapped to user group on AD and has RADIUS IETF 025 class attribute assigned.

For example,

SSID employees, dynamic interface vlan511,VLAN id 511, Quarantine Vlan id 2511.

On the ACS group 11 is mapped to user group on AD wireless. On ACS group 11 has configured attributes: [14179\005] Aire-Interface-Name - vlan511, [025] Class - WDoffice11

On the ACS group 12 is mapped to user group on AD wireless22. On ACS group 12 has configured attributes: [14179\005] Aire-Interface-Name - vlan512, [025] Class - WDoffice22

On the CAS normal login roles WDoffice11 and WDoffice22 are configured with Out-of-Band User Role VLAN 511 and 512 accordingly. On the ACS in cisco vpn auth server is configured with mapping rules: Role name - WDoffice11, Condition type - attribute, Property Value - WDoffice11;WDoffice12, Condition type - attribute, Property Value - WDoffice12.

WLC authenticates user vie ACS and get information about VLAN from ACS. WLS send this information to CAM and CAM should  said to WLC in which VLAN place the user.

But how to configure CAS for it?

Mapping rules under auth server does not help.

VLAN mapping should help because we have only one quarantine vlan id in dynamic interface under SSID configuration.

Best Regards,

Dmitry

Dmitri,

My apologies. I forgot for a second when I posted my last reply that this is OOB we're talking about. With OOB, in the current codes there is the limitation of having one VLAN mapping only, so you can have a static Auth VLAN being mapped to a static Access VLAN. What you're suggesting would more than likely require the AAA over-ride so the right VLAN could be used for quarantine, but that isn't supported too.

Please check the following link for that:

http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60wlan.html#wp1230721

HTH,

Faisal

Faisal,

In WLC we have multiple dynamic interfaces (VLANs) for various staff. In NAC looks like VLAN mappings are one to one. Means I need to have seperate Quarantine VLAN's for each of the Access VLAN. This is problematic for us. Will there be a change in the behaviour in next code base?

My wireless client is getting IP from Quarantine VLAN. After that when I launch browser I do not get NAC agent but goes straigh to internet. The SVI interface of quarantine VLAN is on router. NAC OOB example tells that Quarantine VLAN should be between WLC and NAC only. In that case there wont be IP for the client. How can client reach NAC?

Thanks for your help,

Prasanna