ISE with WLC change vlan or interface from a flex ssid

Madura Malwatte · ‎03-11-2019

I want to see if I can change the user to a different wireless vlan (Airespace-Wlan-Id) or interface (Airespace-Interface-Name) once they are connected to a flexconnect SSID?

So user connects to a secure flexconnect SSID and if they become posture non-compliant I want to change them over to a different wlan or interface that is local mode (central switching). Is this possible to change from flexconnect SSID to local mode network?

Arne Bier · ‎03-12-2019

As far as I know you cannot switch a user from one SSID to another - that is a client decision. The client connects to the SSID of its own choice and then the WLC will make Radius requests (if it's WPA Enterprise) to the AAA server.

At that point you can switch VLANs etc - but even that is dodgy because the client won't know that the VLAN has been switched, and therefore won't perform a DHCP cycle. In wired networking the operating system Ethernet driver detects a link down when ISE bounces the port (with a CoA) - but in wireless there is no such equivalent.

I may have not understood your question though. Quite possible :)

Madura Malwatte · ‎03-12-2019

Yep, thats what I want to do switch vlan or interface. Can it be done from a flexconnect ssid to a centrally switched wireless interface/wlan?

Arne Bier · ‎03-12-2019

A centrally switched WLAN has interfaces and interface groups that reside on the central controller. These interfaces map to VLANs ON THE CONTROLLER. FlexConnect drops the user traffc on the local switch where the AP terminates. You need to create those VLANs on that switch and in the FlexAP Group. These two concepts are not related. But as for the AAA override in the WLC, it doesn't matter whether the client session is centrally switched, or FlexConnect switched - the AAA override happens accordingly. I don't think Flex supports interface Groups (that is a WLC concept) - but VLAN ID/NAME override via AAA applies in both places.