05-26-2015 12:02 AM - edited 03-10-2019 10:45 PM
Hi All,
We are implementing ISE 1.3 for wireless users, please advise where to map quarantine vlan when user first connect to ssid. If user is domain then get the actual vlan ip address if not then get guest vlan IP.
Thanks
Kamlesh
Solved! Go to Solution.
05-26-2015 06:34 AM
Hello Kamlesh,
In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.
You cannot use a fallback vlan if authentication fails.
Please explain me what you have in your mind.
Regards.
Alexandros.
05-26-2015 10:49 AM
Agreed.
Authentication is best option to fullfill the requirement in your case.
Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.
Regards:
Ashish Arora
05-26-2015 06:34 AM
Hello Kamlesh,
In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.
You cannot use a fallback vlan if authentication fails.
Please explain me what you have in your mind.
Regards.
Alexandros.
05-26-2015 10:49 AM
Agreed.
Authentication is best option to fullfill the requirement in your case.
Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.
Regards:
Ashish Arora
05-27-2015 12:34 AM
Hello Marinos/Ashish,
Thanks for your advise,
I understood and configured a single VLAN for domain users and they are able to connect if system is in domain, Guest user will connect to another ssid. Client requirement is only for authentication because of having base license only. But I have some few question:
1. I have configured one wireless authorization policy for domain users but users are authenticating another default Basic_Authenticated_Access policy in which Permission is permit access. And users are getting the same VLAN IP address which I have mapped in wlc against ssid. There is no VLAN tagging happening but only domain user's are authenticating. So it means only one VLAN required for authentication only or do we require separate preauth vlan.
2. Do we require to configure dynamic ACL in WLC, if yes then what would it be.
3. Can we restrict only one domain user id will get connected at a time.
Regards:
Kamlesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide