Flexconnect with multiple vlans on one SSID managed by ISE

apasquino · ‎05-16-2013

Hello,

we have a couple of WLCs, Access points and ISE where we run two SSIDs:

SSID Corporate: by means of Radfius CoA users are mapped to a vlan based on their AD group (4 different rules on ISE)

SSID Guest: central web auth with ISE

We are happy with that but we need to move further, so my question is:

is it possible (and how) to set up APs on a branch office as Flexconnect, and manage vlan enforcement on a single SSID the same way we do with central switching ? We have tried a lot of configs but had no chance.

Thanks a Lot

Andrea

Scott Fella · ‎05-16-2013

Are you on v7.4? Have you looked at this guide

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect_chapter_0100.html
Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

apasquino · ‎05-16-2013

Hello Scott,

yes we run 7.4 and I've read though this guide (there's also a "consolidated" version).

It's plain to see that for each WLAN we can only map a single vlan ID, and this behaviour is roughly the same as the mapping between WLAN and interface in central switching

.

The problem is that the WLC enforces the vlan that comes from radius CoA on its port, but does not enforce it on the Flex AP Port.

Best Regards

Andrea

Scott Fella · ‎05-16-2013

Yeah... So basically you want to have one SSID and map users to vlans depending on the policy they would hit with ISE. Have you tried posing your question on the Security AAA forum? They have some knowledgable people there that can tell you right away if its even supported or not. From what I have found, it doesn't seem like its supported that way yet.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

apasquino · ‎05-16-2013

Scott,

that's exactly what I am looking for, and as I see there is no evidence on your side that it is feasible. I'll try to drop a query on security, altough our current ISE "vlan policies" are running fine when the AP is not flexconnect.

Andrea

itsupport · ‎10-22-2013

Did you ever get a reply to this or get it working? i am trying to do something simiar but while I am able to flexconnect a single vlan, i do not seem to be able to do more than 1 vlan to ssid (locally - centrally switching i can do several vlans)

hegefd · ‎03-08-2016

hey guys, I am running a WLC8540 WITH 8.1 code, was there ever a solution found to do this. multiple vlans for one SSID on colo based controllers and cisco ap's running in flex connect mode. also I am using Microsoft nps sending attributes of each vlan based on nps policy and user belongs to the AD group tied to the policy

luizmatos · ‎03-28-2016

Is this of any help?

https://www.youtube.com/watch?v=l8b8SCdphJo

As we can see on the video, he've changed the vlan of a client connected to a flexconnect AP (local Switched SSID) based on ACS policies. I just don't know if it also works for multiple vlans too.

Smurf12345 · ‎01-01-2018

Thanks for the link. This was exactly the piece I was missing to get Flexconnect and multiple VLAN CoA working. I missed the Flexconnect Group -> ACL Mapping defining the additional VLANs. No ACL needs to be applied, just leave it "none" so it defines these VLANs on the APs.