I installed the vWLC and now I am able to get authentication attempts to the ISE. I am not sure if the issue was out production version running 7.0.X. We are wanting to deploy Locally switched Flexconnect. I understand that you can't do Dacl's with locally switched flexconnect but you can change VLAN and attribute that to a Flexconnect ACL, is this correct?

I am also interested in the LDAPS, I have successfully integrated non secure LDAP without issue. We potentially will be integrating/authenticating with several LDAP instances and want to make sure we are able to do it securely.

Thanks,


Sent from Cisco Technical Support iPad App

Wireless will not do dACLs with or without FlexConnect.  In centrally switched networks you can use Named ACLs which are differnt than dACLs.  

But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN.  Then you can use ISE to set the VLAN.

*As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.

From the release notes

"

In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.

In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.

"

There are some other limitations when using FlexConnect that you should be aware about.

This guide will show you how to use Centrally Authenticated with Locally Switched

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml

This document will show you the feature matrix for ISE and FlexConnect

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration.  If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly. 

You can authenticate to multiple LDAP sources, but keeping them separate could be difficult especially if you have overlapping IP address structures. 

Make sure you follow the following design guide to integrate into multiple AD domains.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

ISE is not designed for multi-tenancy.  I do not know what the maximum number of supported LDAP servers is, but I do not believe that you will be able to reliably use 100 different sets of ldap servers.  I personally would run each of the different tenants in their own instance.  The Authz rules alone would easily become very large very quickly even with very simple policies. 

Outside of keeping everything strait every AuthZ for tenant 100 would first need to be checked against the first 200+non matching Authz rules before a matching AuthZ was found.  This increases the time to process.  It may work in a lab environment but when you start pushing real live authentications through this very large policy you may see performance decrements.  I would verify this design with the ISE BU before attempting to deploy this design.