Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
3
Replies

ISE1.3 Wireless configuration

Go to solution
kamlenegi
Level 1
Level 1

‎05-26-2015 12:02 AM - edited ‎03-10-2019 10:45 PM

Hi All,

 

We are implementing ISE 1.3 for wireless users, please advise where to map quarantine vlan when user first connect to ssid. If user is domain then get the actual vlan ip address if not then get guest vlan IP.

 

 

Thanks

Kamlesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Alexandros Marinos
Level 1
Level 1

‎05-26-2015 06:34 AM

Hello Kamlesh,

In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.

You cannot use a fallback vlan if authentication fails.

Please explain me what you have in your mind.

Regards.

Alexandros.

View solution in original post

0 Helpful

Go to solution
Ashish Arora
Level 1
Level 1
In response to Alexandros Marinos

‎05-26-2015 10:49 AM

Agreed.

Authentication is best option to fullfill the requirement in your case.

Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.

 

 

 

Regards:

Ashish Arora

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Alexandros Marinos
Level 1
Level 1

‎05-26-2015 06:34 AM

Hello Kamlesh,

In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.

You cannot use a fallback vlan if authentication fails.

Please explain me what you have in your mind.

Regards.

Alexandros.

0 Helpful

Go to solution
Ashish Arora
Level 1
Level 1
In response to Alexandros Marinos

‎05-26-2015 10:49 AM

Agreed.

Authentication is best option to fullfill the requirement in your case.

Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.

 

 

 

Regards:

Ashish Arora

 

0 Helpful

Go to solution
kamlenegi
Level 1
Level 1
In response to Alexandros Marinos

‎05-27-2015 12:34 AM

Hello Marinos/Ashish,

 

Thanks for your advise,

 

I understood and configured a single VLAN for domain users and they are able to connect if system is in domain, Guest user will connect to another ssid. Client requirement is only for authentication because of having base license only. But I have some few question:

 

1. I have configured one wireless authorization policy for domain users but users are authenticating another default Basic_Authenticated_Access policy in which Permission is permit access. And users are getting the same VLAN IP address which I have mapped in wlc against ssid.  There is no VLAN tagging happening but only domain user's are authenticating. So it means only one VLAN required for authentication only or do we require separate preauth vlan.

2. Do we require to configure dynamic ACL in WLC, if yes then what would it be.

3. Can we restrict only one domain user id will get connected at a time.

 

Regards:

Kamlesh

 

0 Helpful
Customers Also Viewed These Support Documents