That particular scenario won't work with Wireless. If your users are wired then yes it would work, but with Wireless OOB, you can't do role-based VLANs with CCA. That functionality isn't available yet.
Best practice is to have one SSID per VLAN, but if you want to push multiple VLANs in one SSID, you can do that as long as CCA has a corresponding Access VLAN, and the right managed subnets/VLAN mappings done.
Problem is that I really can't understand how to configure CAM/CAS for it.
On the WLC we have configure dynamic interface with access VLAN and Quarantine VLAN.
WLC authenticates users using ACS and accounting using CAM.
As I understand WLC authenticates users via ACS, ACS has configured groups, each group is mapped to user group on AD and has RADIUS IETF 025 class attribute assigned.
SSID employees, dynamic interface vlan511,VLAN id 511, Quarantine Vlan id 2511.
On the ACS group 11 is mapped to user group on AD wireless. On ACS group 11 has configured attributes: [14179\005] Aire-Interface-Name - vlan511,  Class - WDoffice11
On the ACS group 12 is mapped to user group on AD wireless22. On ACS group 12 has configured attributes: [14179\005] Aire-Interface-Name - vlan512,  Class - WDoffice22
On the CAS normal login roles WDoffice11 and WDoffice22 are configured with Out-of-Band User Role VLAN 511 and 512 accordingly. On the ACS in cisco vpn auth server is configured with mapping rules: Role name - WDoffice11, Condition type - attribute, Property Value - WDoffice11;WDoffice12, Condition type - attribute, Property Value - WDoffice12.
WLC authenticates user vie ACS and get information about VLAN from ACS. WLS send this information to CAM and CAM should said to WLC in which VLAN place the user.
But how to configure CAS for it?
Mapping rules under auth server does not help.
VLAN mapping should help because we have only one quarantine vlan id in dynamic interface under SSID configuration.
My apologies. I forgot for a second when I posted my last reply that this is OOB we're talking about. With OOB, in the current codes there is the limitation of having one VLAN mapping only, so you can have a static Auth VLAN being mapped to a static Access VLAN. What you're suggesting would more than likely require the AAA over-ride so the right VLAN could be used for quarantine, but that isn't supported too.
In WLC we have multiple dynamic interfaces (VLANs) for various staff. In NAC looks like VLAN mappings are one to one. Means I need to have seperate Quarantine VLAN's for each of the Access VLAN. This is problematic for us. Will there be a change in the behaviour in next code base?
My wireless client is getting IP from Quarantine VLAN. After that when I launch browser I do not get NAC agent but goes straigh to internet. The SVI interface of quarantine VLAN is on router. NAC OOB example tells that Quarantine VLAN should be between WLC and NAC only. In that case there wont be IP for the client. How can client reach NAC?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...