Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Hall of Fame Super Silver

Setting up NAC with existing WLC

I have an existing wireless network up and running. I want to configure the NAC devices and need some questions answered. I started configuring the cas using in band virtual gateway. If the internal wireless users are on vlan 73 (ssid mapped to vlan 73 interface in the WLC) and I have an auth vlan 74 (i guess I need this for remediation)... do I have to map (change it in the WLC) that internal ssid to vlan 74 to pass through the cas? Then the cas will bridge to vlan 73? I can't find any docs on how to configure in band virtual gateway with WLC. thanks!

-Scott
*** Please rate helpful posts ***
2 REPLIES
Anonymous
N/A

Re: Setting up NAC with existing WLC

All guest wireless traffic coming into the controller must go through the CAS before it can go anywhere else. A dynamic interface called guest is created in the controller, and all guest traffic is forwarded through it to the untrusted interface of CAS.

After the guest users are authenticated locally or through an external server (RADIUS, LDAP, Kerberos) by the CAS/CAM, the user traffic is allowed only through the CAS and can reach the outside network. You can also set user timeout sessions, bandwidth, and access control management. " This explains that you should connect your Untrusted interface of NAC <--> Switch <--> WLC.

If you want to place your users into separate VLANs you can do so after Authentication with Dynamic VLANs Assignment trough RADIUS

Hall of Fame Super Silver

Re: Setting up NAC with existing WLC

thanks!

Using In Band Virtual Gateway, I figured out that I had to change the dynamic interface to vlan (74) and ip to match the untrusted vlan subnet of the CAS (not routed). Then I created a managed subnet with an ip in vlan 73 which is the trusted side (which was existing for internal wireless). The question I have is the wireless users associate to an ssid which is mapped to vlan 74 (untrusted or auth vlan) where do they get their dhcp from? I have the dynamic interface for the ssid pointing to an internal dhcp, so the wlc will relay this and give them an IP on the vlan 73 subnet?

-Scott
*** Please rate helpful posts ***
147
Views
0
Helpful
2
Replies
CreatePlease to create content