Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Clean Access - Guest

I am in the process of testing CCA using virtual gateway in-band. I currently have a VLAN 20 on which hosts exist, so have mapped 21->20 with 21 being the untrusted.

On the switchport, the access vlan is set to 21, and dhcp passthrough is working.

I also have a guest VLAN, which is 500. I would like a guest to be able to plug into any port that is set to 21, and have them tagged to VLAN 500 after meeting requirements. Is this possible with virtual gateway in-band?




Re: Clean Access - Guest

As the port is set to vlan 21, so you cannot have guests tagged to vlan 500 after checking requirements. However you can setup a user role for each vlan (i.e. 239_allow_all) with the OOB Vlan setup for each. Then setup the mapping on the auth server to check the inital vlan and place the user in the 239_allow_all role. Then set the Port profile to use User Role Vlan instead of Default Access Vlan.

New Member

Re: Clean Access - Guest

I found that with inband, you can retag the traffic egress with something different from what your vlan mapping is configured for. The problem is that the IP address doesn't change without a release/renew.

I'd like to have this work with just one CAS, but it looks like I'll have to get a second for OOB.

CreatePlease login to create content