https://community.cisco.com/t5/wireless/flexconnect-local-switching-using-dynamic-vlan-assignment-with/m-p/2790300#M67249 <P>Hello</P> <P>I am looking for advice on how to configure a WLC to use dynamic VLAN assignment when the access points are in flexconnect with local switching.</P> <P>We have a central 8510 and APs at several remote locations. Each AP is trunked locally at the site to a switch with a native VLAN for AP management and a 2nd VLAN for the corporate SSID. At the moment only these 2 VLANs are allowed over the trunk.</P> <P>We have an ISE used for client authN and authZ on the WLAN</P> <P>As it stands all corporate access works OK</P> <P>We also have an external MDM server for allowing BYOD to access the network assuming they pass registration status &amp; compliance checks defined on the MDM.</P> <P></P> <P>What I am trying to work out is how to configure is how to set up the WLC so that if a new client associates with the corporate SSID and is registered on the external MDM server but fails the compliance check. In this scenario I want to move the client into a quarantine VLAN and only allow access to defined IP addresses to allow it to download any patches needed to pass the compliance check.</P> <P>Has anyone set up a WLC in this mode before ?</P> <P>If so what needs to be done on the WLC, the AP trunk port, flexconnect groups etc</P> <P>I cant see how to map the quarantine VLAN to the corporate SSID so that the ISE can force a CoA and move the client into the quarantine VLAN from the compliant VLAN</P> <P>Any help much appreciated</P> <P>Thanks</P> <P>Martyn</P> Mon, 05 Jul 2021 11:31:56 GMT martaylor 2021-07-05T11:31:56Z https://community.cisco.com/t5/wireless/flexconnect-local-switching-using-dynamic-vlan-assignment-with/m-p/2790300#M67249 <P>Hello</P> <P>I am looking for advice on how to configure a WLC to use dynamic VLAN assignment when the access points are in flexconnect with local switching.</P> <P>We have a central 8510 and APs at several remote locations. Each AP is trunked locally at the site to a switch with a native VLAN for AP management and a 2nd VLAN for the corporate SSID. At the moment only these 2 VLANs are allowed over the trunk.</P> <P>We have an ISE used for client authN and authZ on the WLAN</P> <P>As it stands all corporate access works OK</P> <P>We also have an external MDM server for allowing BYOD to access the network assuming they pass registration status &amp; compliance checks defined on the MDM.</P> <P></P> <P>What I am trying to work out is how to configure is how to set up the WLC so that if a new client associates with the corporate SSID and is registered on the external MDM server but fails the compliance check. In this scenario I want to move the client into a quarantine VLAN and only allow access to defined IP addresses to allow it to download any patches needed to pass the compliance check.</P> <P>Has anyone set up a WLC in this mode before ?</P> <P>If so what needs to be done on the WLC, the AP trunk port, flexconnect groups etc</P> <P>I cant see how to map the quarantine VLAN to the corporate SSID so that the ISE can force a CoA and move the client into the quarantine VLAN from the compliant VLAN</P> <P>Any help much appreciated</P> <P>Thanks</P> <P>Martyn</P> Mon, 05 Jul 2021 11:31:56 GMT https://community.cisco.com/t5/wireless/flexconnect-local-switching-using-dynamic-vlan-assignment-with/m-p/2790300#M67249 martaylor 2021-07-05T11:31:56Z