Hi Folks,

This is more of a design and solution question rather than configuration.

Company A has its own WLC, ISE and Cisco APs that manages Company A's client for their printers on site. Now, the client decides to change to Company B who would authenticate their wireless printers moving forward. However, Company B wants to leverage Company A's existing wireless infrastructure. Company B has their own ISE in their network. Also, the client wants to install new WLC and AP and manage these devices. 

Here is my idea and want to know what's your thoughts. 

The proposed solution is Company A will provision layer 2 (new Vlan). The new SSID will be configured on new WLC. Company A will configure new VLAN on its Switches and hand-off to Company B's router. Company B's router will look after DHCP scope for wireless printer and routing.

Now, the tricky part. Not sure where Company A's ISE comes into the picture and how proxy RADIUS flow works. Let's understand the concept and again, please correct me if I am wrong.

1. Wireless printers join new SSID, say PRINTERS using WPA+WPA2
2. AP will redirect the printer request to WLC. WLC will forward the authentication request to Company A's ISE server.
3. Company A's ISE server will be configured with proxy RADIUS of Company B's ISE server.
4. WLC receives a response from Company A's ISE server (with a RADIUS proxy)
5. WLC attempts to forward authentication request to Company B's ISE server. WLC sends flow to Company A's switch, from there to Company B's router and from there to Company B's ISE server.

Do I have a correct understanding?

Also, what if WLC points directly to Company B's ISE server? This may not be possible as WLC would not aware of Company B's IP? 

I will post a diagram tomorrow and hope that my explanation is not confusing.

Thanks.

Dave