Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless 802.1X guest VLAN

Hi everybody

is there a way on the wireless controller or the ACS to configure a guest or a failed vlan if the 802.1X authentication was not succesful, like it's possible on the wired infrastructure?

Thanks and regards

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Wireless 802.1X guest VLAN

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

Cisco Employee

Re: Wireless 802.1X guest VLAN

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

4 REPLIES
Cisco Employee

Re: Wireless 802.1X guest VLAN

Yes there certainly is.

You can do this via NAC and I am investigating using dynamic VLANs from RADIUS for a client at the present time. Have you loooked at either of these.

New Member

Re: Wireless 802.1X guest VLAN

Hi


thanks for the answer. NAC is actually no solution. I know that it is possible to assign a dynamic VLAN via the ACS, but the problem would be if the authentication fails.

A possible way is to activate the DEFAULT mapping in the external database to a "Guest Group" in the AD, so there would be no failed attempt. But there is a problem if we have different guest vlan's. Or this there a way to differ between wired and wireless clients? The problem is that we have a guest vlan for the wired and a guest vlan for the wireless clients.

Cisco Employee

Re: Wireless 802.1X guest VLAN

I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.

I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

New Member

Re: Wireless 802.1X guest VLAN

My words, seperate SSID's would be the simplest way but the customer is the "decision maker" ;-) But it is an interesting challange, I will also do some tests in the lab in the next few weeks, I will get back to the forum when I have the first results.

Regards and have nice holidays

Dominic

1578
Views
0
Helpful
4
Replies