cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
5
Replies

Configuring ISE policy to use FlexConnect APs from remote location

bberry
Level 1
Level 1

Does anyone know of any documentation that will assist in expanding my ISE policies to support connectivity through FlexConnect APs from a remote location? I guess a better question is will this configuration even work? We have a working ISE cluster here that has policies for corporate assets as well as a Sponsored portal for wireless connectivity. Everything is seeming to work local as we continue to move things into production. My next phase is to connect APs in our remote locations to our controller here using FlexConnect so we can utilize their local VLANS. I specifically want to expand the guest access using the sponsor portal in ISE. I am hoping that I will be able to expand the ISE policies to use the FlexConnect APs similar to the way I do my local stuff. I just have not found anything on CCO yet to begin the process. I am going to install and configure my first Flex Connect and go from there but any documentation would be great. 

 

Suggestions...

 

Brent
 

5 Replies 5

jj27
Spotlight
Spotlight

Here is a guide I've used, in a hybrid sort of way.  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html

What I do now is have AP Groups and FlexConnect AP groups. I set the NAS-ID on the FlexConnect AP groups to be something recognizable and I utilize that in my authZ policy to ensure we are working with a FlexConnect site.  On the FlexConnect AP group I usually map the SSID/interface to a specific VLAN.

I figured I would have unique FlexConnect groups that correspond to my remote locations but was not sure about how that came into play with the SSIDs. I have noticed in the SSID configureation there is a check box for FlexConnect Local Switching so figure that is part of being able to use the remote location VLANs when configuring the SSIDs. This means I will definately need a unique SSID for the Guest authentication at the remote locations so that I can map this to their local guest VLAN. I gather that I will basically be replicating the SSID configuration of corporate guest wireless for every remote location. I will then need to replicate the guest policies from corporate to match the parameters created for  the remote location.

 

What is the experience if the WAN link supporting connectivity back to your authentication servers drops? I have read where existing authenticated users continue but have to re-authenticate once service is back?  I can understand no new connections but am wondering about any connected at time connection breaks.

How does the interface com into play when you create the WLAN? Do you create something unique for the remote or do you somehow reuse and existing interface local to the controller?

In my experience, the interface does not matter.  I have used FlexConnect AP groups to map the WLAN ID to the VLAN ID I wanted to use as a default, then used the NAS-ID of the AP group to be able to change VLANs dynamically.

Is the NAS-ID the same as the group name? I created two flex groups for two remote locations and am now trying to figure out the process for referencing them in a policy.

 

Brent

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: