Re: Wirless VLAN redirect

mahelms · ‎07-12-2017

Greetings,

My customer has set up VLAN redirect with ISE but is running into an issue where the redirect will not occur if the WLAN on the controller is assigned to the management interface on the controller. If the WLAN is moved to any other interface, the redirect works fine. This customer has thousands of sites and is relying on ISE to decide which VLAN a client will land on after wireless connect. They don't typically configure any interface other than the management interface on a controller and would like to avoid having to do so.

Is this expected behavior for ISE and, if so, is there documentation that explains this behavior?

Thanks!

Matt

howon · ‎07-12-2017

It is function of WLC to assign VLAN not ISE. But, between the WLAN that works and not, can you confirm that the 'AAA Override' is enabled in the advanced settings for the WLAN? That is the setting that allows RADIUS pushed VLAN to be assigned for the session.

mahelms · ‎07-12-2017

Thanks Hosuk. I'm fairly certain AAA Overide is enabled as the VLAN redirect works if they move the WLAN from the management interface to a non-management interface. In other words - The only thing changing from what works to what doesn't work is the interface change.

Additionally - There are multiple controllers being tested and the behavior is the same across the board.

howon · ‎07-12-2017

I suggest posting the same question on the wireless forum as it is role of the WLC to assign the VLAN. I don't recall having any issues regardless of which interface is used on the WLAN either with 3 standard RADIUS attributes or the AireSpace interface name attribute.

hslai · ‎07-12-2017

100% agreed with Hosuk. Web redirect is a L3 security feature so that could be L2 v.s. L3. I believe they would have the same problem with LWA, even with the WLC web portal instead of ISE guest portals.

It seems odd to use the VLAN of the management interface for clients.

mahelms · ‎07-12-2017

Well, they're not using the management VLAN for clients. They are redirecting the clients to other VLANs via ISE. When you create a WLAN on the controller, it will default to the management interface. You then choose another interface if you have them. But if you're using ISE for redirect, then it shouldn't matter which interface the WLAN is sitting on. Clients will not actually be going to that VLAN. You should be able to create multiple WLANs, leaving each one on the default management interface and leave it all up to ISE. This is what the customer wants. If they move the WLANs off the management interface, the redirect works fine. It literally doesn't matter which interface they move to, as long as it's not the management interface.

But again - why should it matter one way or the other? This is what the customer is seeking an answer to.

hslai · ‎07-12-2017

Hmm. Your "redirect" actually means "override" and you are saying VLAN overriding only work if the default interface or interface group is set to anything other than management. Right?

As Hosuk, WLC is the one applying the override so we would need to look at the client debug and see why the WLC is rejecting the override. This is realm of WLC rather than ISE.

hslai · ‎07-12-2017

Just so you know.. it's working ok on the vWLC (8.0.120.0) in our GOLD setup so that my test client got an IP from another interface (access with VLAN 10) after ISE authorized it with VLAN 10 and the management is on VLAN 100.

mahelms · ‎07-13-2017

That's very helpful. Thanks for looking into it!