Solved: ISE deployment in wireless infra without WLC (only Access Point 1240AG)

shekharmore003 · ‎07-02-2012

Hello All,

I am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how deifferent authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?

Thanks in advance.

Tarik Admani · ‎07-03-2012

No this isnt possible, because the ios code that the access points run in autonomous mode do not support Change of Authorization (CoA). They will authenticate the user, and when a coa event is triggered from ISE, that is when this deployment breaks and the request gets dropped.

Thanks

Tarik Admani

Message was edited by: Tarik Admani

View solution in original post

Tarik Admani · ‎07-02-2012

Hi,

You can perform COA on standalone APs you will need to have an inline posture node in order to reap the benefits of COA, you may have heard this from any vpn related deployments. If you are in the design phase of this project, you may want to purse controllers because the latest rumor is that the inline posture node may be dropped since Cisco is planning on supporting coa on all their devices once the 9.x code drops for the ASAs. However please contact your Cisco rep for an official response.

Here is the footnote in the following link: "Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support."

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038

Thanks,

Tarik admani

shekharmore003 · ‎07-02-2012

Hello Tarik,

Thanks for the help. But I would like to know that, How different authorization policy can be assigned to AP/ISE without using Inline posture node. Is it possible?

Thanks in advance

Tarik Admani · ‎07-03-2012

No this isnt possible, because the ios code that the access points run in autonomous mode do not support Change of Authorization (CoA). They will authenticate the user, and when a coa event is triggered from ISE, that is when this deployment breaks and the request gets dropped.

Thanks

Tarik Admani

Message was edited by: Tarik Admani

shekharmore003 · ‎07-03-2012

Hello Tarik,

Thanks for the help.

Tarik Admani · ‎07-03-2012

Sorry I had to edit my answer from controllers to access points!!! I should proof read a little bit.

Thanks and I am glad that I helped.

shekharmore003 · ‎07-03-2012

I already figure out the typo. Thanks

eng.malak · ‎09-22-2012

HI

but how far can i get with only access point ?

Tarik Admani · ‎09-22-2012

Hi,

You only get basic radius authentication. None of the features that use coa will work like posturing or dynamic profiling.

Thanks,

Tarik Admani

eng.malak · ‎09-22-2012

So can i do Machine authentication and domain authentication ?can i put users behind AP In different VLANS ?if yes what configuration should i put on AP the uplink port on Switch? Thank you in advance

Sent from Cisco Technical Support iPhone App

Tarik Admani · ‎09-22-2012

You can use machine authentication and user authentication since the AP supports PEAP. For the uplink all you need to do is trunk the management and access vlans for each ssid that you have configured.

I dont know how standalone APs work I assume just like any other flexconnect or HREAP logic, it is able to tag user traffic based on the SSID they connect to? If so, then you only need to add the vlans allow them access and also management vlan from the AP itself.

Thanks,

Tarik Admani
*Please rate helpful posts*