12-08-2018 10:52 AM
We are working on a deployment, where Customer has a shared WLC (shared among multiple sites), with a common SSID. One of the locations/sites require the ISE deployment to be in Low Impact/Monitor mode. The rest of the locations are still using a different ISE cluster for wireless authentication, all in closed mode. So the only distinguishing factor is the APs for that location. Using AP groups in AuthZ policy is one option (as long as the WLC version supports it), however how do we make sure the WLC only enforces Open auth on those AP or clients?
Solved! Go to Solution.
12-08-2018 11:28 AM
12-08-2018 11:28 AM
12-08-2018 11:32 AM
Hi Jason, Can open Auth be done for the same SSID, on a shared WLC, for a specific location (i.e. set of APs) or this is more of a question for the wireless experts?
12-08-2018 11:36 AM
12-08-2018 11:39 AM
Please ignore, I think I know what you meant. When it's open, ISE is not involved unlike monitor mode. The customer wants to deploy 802.1x for wireless users without any production impact, and want to log the failures (hence the monitor) just like wired.
The idea is to find out which machine does not have correct 802.1x settings ( native supplicant) and Posture problems ( ISE posture will be there).
12-08-2018 04:49 PM
As Jason said there is no concept of monitor mode with wireless. The users will have to pass authentication for an 802.1x SSID. I am guessing you are changing the EAP Authentication cert when going from ACS to ISE so depending on how the clients are setup they may either get a cert warning or simply fail to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide