Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
5
Replies

Shared WLC, SSID with Low Impact Mode

Go to solution
kaachary
Cisco Employee
Cisco Employee

‎12-08-2018 10:52 AM

We are working on a deployment, where Customer has a shared WLC (shared among multiple sites), with a common SSID. One of the locations/sites require the ISE deployment to be in Low Impact/Monitor mode. The rest of the locations are still using a different ISE cluster for wireless authentication, all in closed mode. So the only distinguishing factor is the APs for that location. Using AP groups in AuthZ policy is one option (as long as the WLC version supports it), however how do we make sure the WLC only enforces Open auth on those AP or clients?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-08-2018 11:28 AM

Wireless authentication doesn’t have low impact close mode or monitor mode. This is a wired switching concept. On wireless you either getting open network where you give them direct Internet access or redirect to web authentication portal. Otherwise that uses connect to a secure wireless LAN using WPA2 enterprise aka 802.1x

What exactly are they trying to accomplish

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-08-2018 11:28 AM

Wireless authentication doesn’t have low impact close mode or monitor mode. This is a wired switching concept. On wireless you either getting open network where you give them direct Internet access or redirect to web authentication portal. Otherwise that uses connect to a secure wireless LAN using WPA2 enterprise aka 802.1x

What exactly are they trying to accomplish
0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-08-2018 11:32 AM

Hi Jason, Can open Auth be done for the same SSID, on a shared WLC, for a specific location (i.e. set of APs) or this is more of a question for the wireless experts?

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to kaachary

‎12-08-2018 11:36 AM

You cannot have both on the same SSID if on the same WLC AFAIK but this isn’t the wireless forum
0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to kaachary

‎12-08-2018 11:39 AM

Please ignore, I think I know what you meant. When it's open, ISE is not involved unlike monitor mode. The customer wants to deploy 802.1x for wireless users without any production impact, and want to log the failures (hence the monitor) just like wired.

The idea is to find out which machine does not have correct 802.1x settings ( native supplicant) and Posture problems ( ISE posture will be there).

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to kaachary

‎12-08-2018 04:49 PM

As Jason said there is no concept of monitor mode with wireless.  The users will have to pass authentication for an 802.1x SSID.  I am guessing you are changing the EAP Authentication cert when going from ACS to ISE so depending on how the clients are setup they may either get a cert warning or simply fail to connect. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents