Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2075
Views
0
Helpful
7
Replies

ISE & WLC

Go to solution
edondurguti
Level 4
Level 4

‎08-03-2012 06:35 AM - edited ‎03-10-2019 07:23 PM

Quick question:

If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?

[cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)

Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-03-2012 08:30 AM

Edon,

Here is a flex connect feature matrix, this now supported with ise 1.1 (since there is a section dedicated to it.). You will have to upgrade to 7.2 to get the new features.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml


 WAN Up (Central switching) WAN Up (Local switching) WAN Down (Standalone)
ISE 1.1YesYes (7.2.110.0)No

Release Notes for 7.2 (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314)

I hope this helps,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-03-2012 08:46 AM

It should support profiling, how are you planning to profile the devices? The big issue is that you can not use mac filtering with Radius NAC which will not allow the radius probe. Your best bet is to setup a span port so you can get the dhcp information and the http information over to ISE to make the profiling decisions.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-03-2012 07:16 AM

Hi, are you using dacls or are calling the redirect acls that are defined on the controller?

Also are you calling the acl in the redirect portal configuration and in the airspace acl attribute? Also is the controller running 7.2.110?

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-03-2012 07:26 AM

Tarik,

First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:

Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)

No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.

If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.

Here is a cisco HREAP/FlexConnect Limitation.

Other H REAP Limitations

  • If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.

Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.

Thanks for your help, I hope my question is clear.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-03-2012 08:30 AM

Edon,

Here is a flex connect feature matrix, this now supported with ise 1.1 (since there is a section dedicated to it.). You will have to upgrade to 7.2 to get the new features.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml


 WAN Up (Central switching) WAN Up (Local switching) WAN Down (Standalone)
ISE 1.1YesYes (7.2.110.0)No

Release Notes for 7.2 (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314)

I hope this helps,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-03-2012 08:42 AM

Tarik,

Thanks for your reply, it does help and it does make me mad that I can't upgrade my WLC to the latest version bcuz the latest version does not suport 1230 APs I have like 700 of those in 100 sites. (which makes me mad).

Anyway this is the problem, I am planing to deploy one 3500 AP and do local switching/central authentication,

and leave all other 1230 APs with central/switching 

now will this support ISE 1.1.1 with my current WLC, to do profiling?

thanks

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-03-2012 08:46 AM

It should support profiling, how are you planning to profile the devices? The big issue is that you can not use mac filtering with Radius NAC which will not allow the radius probe. Your best bet is to setup a span port so you can get the dhcp information and the http information over to ISE to make the profiling decisions.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-03-2012 08:49 AM

I'll see, it's kinda all messed up now for me lol, Suppor this but dont support that, I think cisco wants you to buy all the newest stuff every 6 months lol.

I appreciate your help and will do some labbing very soon and see how this all works

Have a good day, happy friday, this job needs to be done on mondays

0 Helpful

Go to solution
ayyubsahil
Level 1
Level 1

‎04-11-2018 11:56 PM

Hi,
Hope your fine and doing well !!!

please guide me for Multiple vlans with sing SSID

WLC and connectivity is ok
AD integration with ISE is Ok

now below below are vlan deatils

Dear all,

how can i achieve multiple vlan for single SAID.

like i have below vlan network
122 GEP-STD-FDN-WLN 10.85.122.1/23
124 GEP-STD-YR1-WLN 10.85.124.1/23
126 GEP-STD-YR2-WLN 10.85.126.1/23
128 GEP-STD-YR3-WLN 10.85.128.1/23
130 GEP-STD-YR4-WLN 10.85.130.1/23
132 GEP-STD-YR5-WLN 10.85.132.1/23
134 GEP-STD-YR6-WLN 10.85.134.1/23
136 GEP-STD-YR7-WLN 10.85.136.1/23
138 GEP-STD-YR8-WLN 10.85.138.1/23
140 GEP-STD-YR9-WLN 10.85.140.1/23
142 GEP-STD-YR10-WLN 10.85.142.1/23
144 GEP-STD-YR11-WLN 10.85.144.1/23
146 GEP-STD-YR12-WLN 10.85.146.1/23
148 GEP-STD-YR13-WLN 10.85.148.1/23



i need all this vlan to associat with Single SSID


please guide


Regards

Ayyub



0 Helpful
Customers Also Viewed These Support Documents