cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
90
Views
0
Helpful
3
Replies
Beginner

ISE1.3 Wireless configuration

Hi All,

 

We are implementing ISE 1.3 for wireless users, please advise where to map quarantine vlan when user first connect to ssid. If user is domain then get the actual vlan ip address if not then get guest vlan IP.

 

 

Thanks

Kamlesh

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello Kamlesh,In a wireless

Hello Kamlesh,

In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.

You cannot use a fallback vlan if authentication fails.

Please explain me what you have in your mind.

Regards.

Alexandros.

Highlighted
Beginner

Agreed.Authentication is best

Agreed.

Authentication is best option to fullfill the requirement in your case.

Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.

 

 

 

Regards:

Ashish Arora

 

3 REPLIES 3

Hello Kamlesh,In a wireless

Hello Kamlesh,

In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.

You cannot use a fallback vlan if authentication fails.

Please explain me what you have in your mind.

Regards.

Alexandros.

Highlighted
Beginner

Agreed.Authentication is best

Agreed.

Authentication is best option to fullfill the requirement in your case.

Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.

 

 

 

Regards:

Ashish Arora

 

Beginner

Hello Marinos/Ashish, Thanks

Hello Marinos/Ashish,

 

Thanks for your advise,

 

I understood and configured a single VLAN for domain users and they are able to connect if system is in domain, Guest user will connect to another ssid. Client requirement is only for authentication because of having base license only. But I have some few question:

 

1. I have configured one wireless authorization policy for domain users but users are authenticating another default Basic_Authenticated_Access policy in which Permission is permit access. And users are getting the same VLAN IP address which I have mapped in wlc against ssid.  There is no VLAN tagging happening but only domain user's are authenticating. So it means only one VLAN required for authentication only or do we require separate preauth vlan.

2. Do we require to configure dynamic ACL in WLC, if yes then what would it be.

3. Can we restrict only one domain user id will get connected at a time.

 

Regards:

Kamlesh