Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
1
Replies

Nac 4.8 with WLC 4400 OOB integration

dfrassetto
Level 1
Level 1

‎12-17-2010 06:52 AM - edited ‎02-21-2020 04:11 AM

Hello folks,

We have the following nac scenario:

  • CAM 4.8 lite - 192.168.255.15/24;
  • CAM is connected as access vlan (vlan 255);
  • CAS 4.8 L2 VG OOB - 192.168.248.2/30.
  • Switch core configuration of the CAS interfaces:
    • description NAC SERVER UNTRUSTED - ETH1
      switchport trunk encapsulation dot1q
      switchport trunk allowed vlan 136
      switchport mode trunk
    • description NAC SERVER TRUSTED - ETH0
      switchport trunk encapsulation dot1q
      switchport trunk native vlan 148
      switchport trunk allowed vlan 140,148
      switchport mode trunk
  • Our auth vlan is 136 and at CAS we have mapped vlan 136 as untrusted to vlan 140 as trusted.

This is working fine with wired clients.

We recently deployed a WLC 4402, initially without nac integration. There is 2 ssids, each one associated with a vlan and this is working fine.

  • SSID internal => vlan 128;
  • SSID contracts => vlan 146.

Now we want to integrate the WLC with nac, so we read some documentation and we are confused. We know the need of different vlan ids as quarantine vlan to each dynamic interface.

Is possible to point the quarantine vlan to 136 at the WLC configuration to some ssid? Because of the vlan mapping (136 <=> 140) at CAS, we don't know if it will work correctly as expected. If it is not possible, we have to use a different quarantine vlan to wireless, for exemple 138. We will create the mapping 138 <=> 128 and what else must be configured?

Thanks in advance.

Daniel Frassetto

0 Helpful
1 Reply 1

Tiago Antunes
Cisco Employee
Cisco Employee

‎12-20-2010 12:48 AM

Hi,

The quaranine VLAN is basically the authentoication VLAN if you want to compare with the wired deployment.

You just need to create it on the WLC and allow that vlan on the trunk link of the WLC.

Here you have a config guide for that:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_woob.html.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card