04-12-2010 09:50 AM - edited 02-21-2020 03:55 AM
Hi All,
I have CAS, CAM, ACS and WiSM. CAS configured as OOB Virtual IP. I need to place users in VLANs according to User Groups on Active Directory.
I can configure dynamic VLAN assignment without NAC using WLC->ACS-AD scheme.
But How can I configure dynamic VLAN assignments with NAC?
Please help.
Best Regards,
Dmitry
04-12-2010 10:08 AM
Dmitri,
Dynamic VLANs or user-role based VLANs aren't supported with OOB and wireless yet. You need to have straight auth/access VLANs defined on your CCA.
HTH,
Faisal
04-12-2010 10:24 AM
Faisal,
thanks for your answer.
I need to assign users to several VLANs in one SSID.Users should be authenticated by AD.
How can I configure it on CAM? Should I configure users authentication on CAM via AD and use User Roles for assigning of VLAN id to appropriate user group?
Best Regards,
Dmitry
04-12-2010 10:27 AM
Dmitri,
That particular scenario won't work with Wireless. If your users are wired then yes it would work, but with Wireless OOB, you can't do role-based VLANs with CCA. That functionality isn't available yet.
HTH,
Faisal
04-12-2010 10:36 AM
Faisal,
Is it possible to have several VLANs in one SSID and use NAC for admisson control of these VLANs?
Or I should have only one VLAN in SSID if I use NAC?
Best Regards,
Dmitry
04-12-2010 12:32 PM
Dmitri,
Best practice is to have one SSID per VLAN, but if you want to push multiple VLANs in one SSID, you can do that as long as CCA has a corresponding Access VLAN, and the right managed subnets/VLAN mappings done.
HTH,
Faisal
04-12-2010 01:10 PM
Faisal,
Problem is that I really can't understand how to configure CAM/CAS for it.
On the WLC we have configure dynamic interface with access VLAN and Quarantine VLAN.
WLC authenticates users using ACS and accounting using CAM.
As I understand WLC authenticates users via ACS, ACS has configured groups, each group is mapped to user group on AD and has RADIUS IETF 025 class attribute assigned.
For example,
SSID employees, dynamic interface vlan511,VLAN id 511, Quarantine Vlan id 2511.
On the ACS group 11 is mapped to user group on AD wireless. On ACS group 11 has configured attributes: [14179\005] Aire-Interface-Name - vlan511, [025] Class - WDoffice11
On the ACS group 12 is mapped to user group on AD wireless22. On ACS group 12 has configured attributes: [14179\005] Aire-Interface-Name - vlan512, [025] Class - WDoffice22
On the CAS normal login roles WDoffice11 and WDoffice22 are configured with Out-of-Band User Role VLAN 511 and 512 accordingly. On the ACS in cisco vpn auth server is configured with mapping rules: Role name - WDoffice11, Condition type - attribute, Property Value - WDoffice11;WDoffice12, Condition type - attribute, Property Value - WDoffice12.
WLC authenticates user vie ACS and get information about VLAN from ACS. WLS send this information to CAM and CAM should said to WLC in which VLAN place the user.
But how to configure CAS for it?
Mapping rules under auth server does not help.
VLAN mapping should help because we have only one quarantine vlan id in dynamic interface under SSID configuration.
Best Regards,
Dmitry
04-12-2010 10:09 PM
Dmitri,
My apologies. I forgot for a second when I posted my last reply that this is OOB we're talking about. With OOB, in the current codes there is the limitation of having one VLAN mapping only, so you can have a static Auth VLAN being mapped to a static Access VLAN. What you're suggesting would more than likely require the AAA over-ride so the right VLAN could be used for quarantine, but that isn't supported too.
Please check the following link for that:
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60wlan.html#wp1230721
HTH,
Faisal
05-25-2010 07:07 AM
Faisal,
In WLC we have multiple dynamic interfaces (VLANs) for various staff. In NAC looks like VLAN mappings are one to one. Means I need to have seperate Quarantine VLAN's for each of the Access VLAN. This is problematic for us. Will there be a change in the behaviour in next code base?
My wireless client is getting IP from Quarantine VLAN. After that when I launch browser I do not get NAC agent but goes straigh to internet. The SVI interface of quarantine VLAN is on router. NAC OOB example tells that Quarantine VLAN should be between WLC and NAC only. In that case there wont be IP for the client. How can client reach NAC?
Thanks for your help,
Prasanna
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide