Solved: Wireless 802.1X guest VLAN

Dominic Stalder (old profile) · ‎12-16-2009

Hi everybody

is there a way on the wireless controller or the ACS to configure a guest or a failed vlan if the 802.1X authentication was not succesful, like it's possible on the wired infrastructure?

Thanks and regards

Peter Nugent · ‎12-18-2009

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

View solution in original post

Peter Nugent · ‎12-19-2009

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

View solution in original post

Peter Nugent · ‎12-18-2009

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

Dominic Stalder (old profile) · ‎12-19-2009

Hi

thanks for the answer. NAC is actually no solution. I know that it is possible to assign a dynamic VLAN via the ACS, but the problem would be if the authentication fails.

A possible way is to activate the DEFAULT mapping in the external database to a "Guest Group" in the AD, so there would be no failed attempt. But there is a problem if we have different guest vlan's. Or this there a way to differ between wired and wireless clients? The problem is that we have a guest vlan for the wired and a guest vlan for the wireless clients.

Peter Nugent · ‎12-19-2009

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

Dominic Stalder (old profile) · ‎12-19-2009

My words, seperate SSID's would be the simplest way but the customer is the "decision maker" ;-) But it is an interesting challange, I will also do some tests in the lab in the next few weeks, I will get back to the forum when I have the first results.

Regards and have nice holidays

Dominic