Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE & WLC

Quick question:

If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?

[cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)

Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

ISE & WLC

Edon,

Here is a flex connect feature matrix, this now supported with ise 1.1 (since there is a section dedicated to it.). You will have to upgrade to 7.2 to get the new features.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml


WAN Up (Central switching) WAN Up (Local switching) WAN Down (Standalone)
ISE 1.1YesYes (7.2.110.0)No

Release Notes for 7.2 (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314)

I hope this helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ISE & WLC

It should support profiling, how are you planning to profile the devices? The big issue is that you can not use mac filtering with Radius NAC which will not allow the radius probe. Your best bet is to setup a span port so you can get the dhcp information and the http information over to ISE to make the profiling decisions.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
6 REPLIES

Re: ISE & WLC

Hi, are you using dacls or are calling the redirect acls that are defined on the controller?

Also are you calling the acl in the redirect portal configuration and in the airspace acl attribute? Also is the controller running 7.2.110?

Thanks,

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE & WLC

Tarik,

First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:

Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)

No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.

If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.

Here is a cisco HREAP/FlexConnect Limitation.

Other H REAP Limitations

  • If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.

Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.

Thanks for your help, I hope my question is clear.

ISE & WLC

Edon,

Here is a flex connect feature matrix, this now supported with ise 1.1 (since there is a section dedicated to it.). You will have to upgrade to 7.2 to get the new features.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml


WAN Up (Central switching) WAN Up (Local switching) WAN Down (Standalone)
ISE 1.1YesYes (7.2.110.0)No

Release Notes for 7.2 (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314)

I hope this helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE & WLC

Tarik,

Thanks for your reply, it does help and it does make me mad that I can't upgrade my WLC to the latest version bcuz the latest version does not suport 1230 APs I have like 700 of those in 100 sites. (which makes me mad).

Anyway this is the problem, I am planing to deploy one 3500 AP and do local switching/central authentication,

and leave all other 1230 APs with central/switching 

now will this support ISE 1.1.1 with my current WLC, to do profiling?

thanks

ISE & WLC

It should support profiling, how are you planning to profile the devices? The big issue is that you can not use mac filtering with Radius NAC which will not allow the radius probe. Your best bet is to setup a span port so you can get the dhcp information and the http information over to ISE to make the profiling decisions.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE & WLC

I'll see, it's kinda all messed up now for me lol, Suppor this but dont support that, I think cisco wants you to buy all the newest stuff every 6 months lol.

I appreciate your help and will do some labbing very soon and see how this all works

Have a good day, happy friday, this job needs to be done on mondays

1468
Views
0
Helpful
6
Replies
CreatePlease to create content