https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044492#M558818 <P>As the other gentleman here said. Yes you can, but be careful since AP usually joins the wireless controller and needs an IP to join. If for some reason the DHCP fails and AP does not join, then you will have a problem.</P> <P>&nbsp;</P> <P>You can probably whitelist the MAC address and assign a VLAN. As more AP's are used you can use the same whitelist to add AP MAC addresses.</P> <P>&nbsp;</P> <P>You can also profile an AP that adds the MAC to endpoint ID group and use the endpoint ID group in the authorization policy.</P> <P>Test these things before implementing it. Make sure your session for AP does not timeout very frequently causing reauthentication</P> <P>&nbsp;</P> <P>Thanks</P> <P>Krishnan</P> Wed, 11 Mar 2020 19:51:35 GMT kthiruve 2020-03-11T19:51:35Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044338#M558797 <P>Hello All,</P><P>&nbsp;</P><P>I was wondering if it is possible to use ISE (Version 2.4) to dynamically assign VLANs for wireless access points when they are plugged into a switchport. Our organization requires AP's to be on a separate VLAN from the user VLAN.</P><P>&nbsp;</P><P>And if so, what steps do I need to take to implement this?</P><P>&nbsp;</P><P>Thank you all!</P> Wed, 11 Mar 2020 16:05:15 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044338#M558797 z28thebridge 2020-03-11T16:05:15Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044347#M558799 <P>&nbsp;</P> <P>- As far as I understand <STRONG>yes</STRONG>, but probably only using MAB (Mac Authentication Bypass); the MAC addresses of the AP"s can be on an LDAP server (possibly MS AD-too). Switch with MAB-settings will use radius to query ISE. Configuration details require some basic studying of ISE.</P> <P>&nbsp;M.</P> Wed, 11 Mar 2020 16:14:40 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044347#M558799 Mark Elsen 2020-03-11T16:14:40Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044460#M558815 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; Are those standalone AP's, or LAP's (which require a WLC to function)? If LAP's, are you running FlexConnect or not? It can be done anyways, but the solution depends on the above questions.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Wed, 11 Mar 2020 19:15:28 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044460#M558815 Cristian Matei 2020-03-11T19:15:28Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044492#M558818 <P>As the other gentleman here said. Yes you can, but be careful since AP usually joins the wireless controller and needs an IP to join. If for some reason the DHCP fails and AP does not join, then you will have a problem.</P> <P>&nbsp;</P> <P>You can probably whitelist the MAC address and assign a VLAN. As more AP's are used you can use the same whitelist to add AP MAC addresses.</P> <P>&nbsp;</P> <P>You can also profile an AP that adds the MAC to endpoint ID group and use the endpoint ID group in the authorization policy.</P> <P>Test these things before implementing it. Make sure your session for AP does not timeout very frequently causing reauthentication</P> <P>&nbsp;</P> <P>Thanks</P> <P>Krishnan</P> Wed, 11 Mar 2020 19:51:35 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044492#M558818 kthiruve 2020-03-11T19:51:35Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044981#M558841 <P>They are LAP's and we are running FlexConnect.</P><P>&nbsp;</P><P>Thank you for your response!</P> Thu, 12 Mar 2020 14:19:25 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4044981#M558841 z28thebridge 2020-03-12T14:19:25Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4045076#M558848 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; As MAB is really insecure in the end, even if it's combined with Profiling and Anomalous EndPoint Detection, i would chose to authenticate the AP via 802.1x. Depending on the WLC software/hardware model and LAP's you may be able to use EAP-TLS or EAP-PEAP; otherwise regardless of the WLC/LAP model, you can still use EAP-FAST. See the following guides for reference:</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_802_1x_eap_supplicant_on_cos_ap.html?referring_site=RE&amp;pos=3&amp;page=https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_802_1x_eap_supplicant_on_cos_ap.html?referring_site=RE&amp;pos=3&amp;page=https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html</A></P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html</A></P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 12 Mar 2020 15:56:24 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment-using-ise/m-p/4045076#M558848 Cristian Matei 2020-03-12T15:56:24Z