https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564834#M239243 <P>The main function of a traditional <A href="https://ciscocentral.blogspot.com/p/300-730-cisco-implementing-secure.html" target="_self">wireless LAN controller (WLC)</A> is to configure wireless access points (AP) that connect to it locally.</P> Sat, 19 Mar 2022 06:25:29 GMT alirafaleiro 2022-03-19T06:25:29Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564564#M239225 <P>Hi All,&nbsp;</P><P>How can I know which 3rd party device is causing the blocking in WLC, there is a description here that it is blockedbyFS.</P><P>Is there a way that I can know which FS is causing this? I am assuming this is a forescout because there was an integration made between forescout and WLC via snmpv3. I just want to be sure if a 3rd party is capable of doing it. Please see screenshot below</P><P>&nbsp;</P><P>TIA,&nbsp;</P><P>Tim</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Forescout blocking.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/145395i36E808DCEBCBE3E4/image-size/large?v=v2&amp;px=999" role="button" title="Forescout blocking.jpg" alt="Forescout blocking.jpg" /></span></P> Sat, 05 Mar 2022 11:34:01 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564564#M239225 workmen 2022-03-05T11:34:01Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564574#M239226 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp;<EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &gt;...&nbsp;I am assuming this is a forescout because&nbsp;</EM></P> <P><SPAN>&nbsp;- The status <FONT color="#FF0000">Blockby<STRONG>FS</STRONG></FONT> seems rather descriptive indeed (FS=forescout) , are you using FS as a NAC-policy service (network access control). Or ISE or other ? If FS are NAC-policies correct ? If Radius is used , check for authenticating details on the radius server too&nbsp; ? Normally this is not related to SNMP(v3)</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Use , for instance an open-SSID as test to verify that basic wireless can work (<STRONG>e.g.</STRONG>)</SPAN></P> <P><SPAN>&nbsp;M.</SPAN></P> Sat, 05 Mar 2022 12:54:52 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564574#M239226 Mark Elsen 2022-03-05T12:54:52Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564606#M239227 <P>&nbsp;</P><HR /><P>Follow</P> Sat, 05 Mar 2022 14:55:08 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564606#M239227 MHM Cisco World 2022-03-05T14:55:08Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564673#M239230 <P>Yes, Provided that you give SNMP write access to ForceScout NAC it can add MAC addresses to Cisco WLC's. I remember this was working only in AierOS WLC's. Forcescount will perform something similar to ISE profiling (compliance check) and if it fails NAC will automatically add the MAC address to disabled clients.&nbsp;</P> <P>But for the newer 9800's they required a different level of access, as I remember they wanted an user account in the WLC with CLI access to add the MAC addresses to block list.&nbsp;</P> Sat, 05 Mar 2022 18:57:50 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564673#M239230 Arshad Safrulla 2022-03-05T18:57:50Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564765#M239238 <P>yes FS is used as NAC. I will verify it with my team</P><P>&nbsp;</P><P>Thank you very much</P> Sun, 06 Mar 2022 03:39:34 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564765#M239238 workmen 2022-03-06T03:39:34Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564767#M239239 <P>yes, the currently deployed APs are Cisco AP 3600 and 3700, we have a 9120 ax ap but it runs on vwlc as of now because the 9800 is under VA Scan.</P><P>Thank You very much</P> Sun, 06 Mar 2022 03:41:42 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564767#M239239 workmen 2022-03-06T03:41:42Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564834#M239243 <P>The main function of a traditional <A href="https://ciscocentral.blogspot.com/p/300-730-cisco-implementing-secure.html" target="_self">wireless LAN controller (WLC)</A> is to configure wireless access points (AP) that connect to it locally.</P> Sat, 19 Mar 2022 06:25:29 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4564834#M239243 alirafaleiro 2022-03-19T06:25:29Z https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4565117#M239263 <P>So I believe you have your answer then. Just heard from our security team that when you integrate 9800’s with forcescout you need write access to CLI. SNMP write access will not work with 9800’s.</P> Mon, 07 Mar 2022 03:43:56 GMT https://community.cisco.com/t5/wireless/wlc-blocking/m-p/4565117#M239263 Arshad Safrulla 2022-03-07T03:43:56Z