https://community.cisco.com/t5/wireless/corporate-wireless-using-hreap-and-centralised-controllers/m-p/1940671#M149071 <HTML><HEAD></HEAD><BODY><P> Although I haven't done this personally, my best reccomendation would be to specify a quarantine vlan on the interface on the controller and maybe have it be the same at all sites and see if that will flow thru in H-REAP.</P></BODY></HTML> Thu, 22 Mar 2012 14:26:21 GMT Kayle Miller 2012-03-22T14:26:21Z https://community.cisco.com/t5/wireless/corporate-wireless-using-hreap-and-centralised-controllers/m-p/1940670#M149070 <P>I have a bit of a conundrum at the moment.&nbsp; I will be the first to admit I am no expert when it comes to the finer points of HREAP, but thought I would throw this out there in case someone else has already come across this approach and maybe even has a few tips?</P><P></P><P>Background:-&nbsp; We run centralised wireless controllers across two datacentres.&nbsp; We have a WCS with MSE and a bunch of AIR-CAP3502I-N-K9 AP's within our Campus, spread across multiple floors and buildings.&nbsp; We already have a working Guest access solution using NGS with HREAP to our Campus and our remoite sites, leveraging an anchor controller in a DMZ.</P><P></P><P>We are currently looking at corporate wireless access in the following way:-</P><P></P><P>AP's in HREAP local switching mode, native vlan is defined for it's particular location/floor (possibly running groups of AP's in specific HREAP groups) - RADIUS 802.1x through to a Symantec SNAC LAN Enforcer; for posture assessment which will then proxy requests on to IAS and active-directory, should remediation be required the SNAC places the client in a remediation VLAN which is terminated in the datacentre and houses a remediation server to carry out any remedation tasks.&nbsp; </P><P></P><P>I can see how a permitted machine may work in this topology, but - if remediation is required and the SNAC puts the client into a remediation vlan, I cannot see how this will work in a centralised model, whilst at the same time using HREAP local switching? </P><P></P><P>The majority of enterprises I am aware of tend to use localised controllers to each site, negating the requirement to use HREAP, but for the purposes of our design, I have to work with our centralised model.&nbsp; </P><P></P><P>Has anyone got corporate wireless working using HREAP into centralised controllers out there?&nbsp; If so, how did you get around the conundrum of remediating clients whose machines needed to be updated?&nbsp;&nbsp; </P><P></P><P>Permitted machines will be controlled using certificates from our active-directory/PKI infrastructure both for the machine and the user, to ensure only allowed people and machines can connect.</P><P></P><P>Should we be using HREAP local switching at all?&nbsp; Or should we follow the guest approach and tunnel all corporate clients back to the datacentre too?&nbsp; Looking for some pointers or ideas here.&nbsp; Many thanks in advance.</P> Sun, 04 Jul 2021 04:42:08 GMT https://community.cisco.com/t5/wireless/corporate-wireless-using-hreap-and-centralised-controllers/m-p/1940670#M149070 ddavies016 2021-07-04T04:42:08Z https://community.cisco.com/t5/wireless/corporate-wireless-using-hreap-and-centralised-controllers/m-p/1940671#M149071 <HTML><HEAD></HEAD><BODY><P> Although I haven't done this personally, my best reccomendation would be to specify a quarantine vlan on the interface on the controller and maybe have it be the same at all sites and see if that will flow thru in H-REAP.</P></BODY></HTML> Thu, 22 Mar 2012 14:26:21 GMT https://community.cisco.com/t5/wireless/corporate-wireless-using-hreap-and-centralised-controllers/m-p/1940671#M149071 Kayle Miller 2012-03-22T14:26:21Z