Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
2
Replies

Setting up NAC with existing WLC

Scott Fella
Hall of Fame
Hall of Fame

‎08-16-2007 10:14 AM - edited ‎02-21-2020 01:38 AM

I have an existing wireless network up and running. I want to configure the NAC devices and need some questions answered. I started configuring the cas using in band virtual gateway. If the internal wireless users are on vlan 73 (ssid mapped to vlan 73 interface in the WLC) and I have an auth vlan 74 (i guess I need this for remediation)... do I have to map (change it in the WLC) that internal ssid to vlan 74 to pass through the cas? Then the cas will bridge to vlan 73? I can't find any docs on how to configure in band virtual gateway with WLC. thanks!

-Scott
*** Please rate helpful posts ***
0 Helpful
2 Replies 2

Not applicable

‎08-22-2007 11:01 AM

All guest wireless traffic coming into the controller must go through the CAS before it can go anywhere else. A dynamic interface called guest is created in the controller, and all guest traffic is forwarded through it to the untrusted interface of CAS.

After the guest users are authenticated locally or through an external server (RADIUS, LDAP, Kerberos) by the CAS/CAM, the user traffic is allowed only through the CAS and can reach the outside network. You can also set user timeout sessions, bandwidth, and access control management. " This explains that you should connect your Untrusted interface of NAC <--> Switch <--> WLC.

If you want to place your users into separate VLANs you can do so after Authentication with Dynamic VLANs Assignment trough RADIUS

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to

‎08-22-2007 11:18 AM

thanks!

Using In Band Virtual Gateway, I figured out that I had to change the dynamic interface to vlan (74) and ip to match the untrusted vlan subnet of the CAS (not routed). Then I created a managed subnet with an ip in vlan 73 which is the trusted side (which was existing for internal wireless). The question I have is the wireless users associate to an ssid which is mapped to vlan 74 (untrusted or auth vlan) where do they get their dhcp from? I have the dynamic interface for the ssid pointing to an internal dhcp, so the wlc will relay this and give them an IP on the vlan 73 subnet?

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card