I have an existing wireless network up and running. I want to configure the NAC devices and need some questions answered. I started configuring the cas using in band virtual gateway. If the internal wireless users are on vlan 73 (ssid mapped to vlan 73 interface in the WLC) and I have an auth vlan 74 (i guess I need this for remediation)... do I have to map (change it in the WLC) that internal ssid to vlan 74 to pass through the cas? Then the cas will bridge to vlan 73? I can't find any docs on how to configure in band virtual gateway with WLC. thanks!
All guest wireless traffic coming into the controller must go through the CAS before it can go anywhere else. A dynamic interface called guest is created in the controller, and all guest traffic is forwarded through it to the untrusted interface of CAS.
After the guest users are authenticated locally or through an external server (RADIUS, LDAP, Kerberos) by the CAS/CAM, the user traffic is allowed only through the CAS and can reach the outside network. You can also set user timeout sessions, bandwidth, and access control management. " This explains that you should connect your Untrusted interface of NAC <--> Switch <--> WLC.
If you want to place your users into separate VLANs you can do so after Authentication with Dynamic VLANs Assignment trough RADIUS
Using In Band Virtual Gateway, I figured out that I had to change the dynamic interface to vlan (74) and ip to match the untrusted vlan subnet of the CAS (not routed). Then I created a managed subnet with an ip in vlan 73 which is the trusted side (which was existing for internal wireless). The question I have is the wireless users associate to an ssid which is mapped to vlan 74 (untrusted or auth vlan) where do they get their dhcp from? I have the dynamic interface for the ssid pointing to an internal dhcp, so the wlc will relay this and give them an IP on the vlan 73 subnet?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :