Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
5
Helpful
4
Replies

WLC - Dynamic VLAN assigment failed authentication to a VLAN

Adnan_Siddiqi
Level 1
Level 1

‎12-21-2018 02:21 AM - edited ‎07-05-2021 09:37 AM

Hello All ,

 

While Configuring Dynamic VLAN assignment on WLC  , is there any option like in wired 802.1X , that failed clients drop in a specified VLAN . Not able to find any such option in case of wireless ?  If we want to put failed authenticated clients is a specified VLAN .

 

Thanks in anticipation.

 

Adnan

Labels:
0 Helpful
4 Replies 4

Mikey Boy
Level 1
Level 1

‎12-21-2018 08:24 AM

I am not sure what you mean in the question.

 

If the SSID is setup for 802.1x authentication against a radius server then you would just have a rule that says if the client does not match any known Identity sources then place it in vlan "X". This way the wireless client will pass authentication and be placed in the VLAN you specified.

 

If the radius server does not have an identity source and you have told it to respond as a failed request then the WLC will see this as a failure and de-authenticate the client. 

 

To answer your question, no you cannot have the WLC respond purely on its own to a failed 802.1x request and place the client in a different vlan, it has to come from the radius server.

 

Regards

0 Helpful

ammahend
VIP
VIP

‎12-26-2018 04:41 AM - edited ‎12-26-2018 04:43 AM

"is there any option like in wired 802.1X", I think you meant Wireless 802.1X.

there are many ways of doing it, I have attached one example

 

I have not tested it with a client, but it you try let us know if it worked

-hope this helps-
Preview file
27 KB

Adnan_Siddiqi
Level 1
Level 1
In response to ammahend

‎12-28-2018 01:42 AM

Thanks ammahend ..

 

Surely this seems to be thing We were looking for . But what application is this ?  We are using MS NPS ... Don't thing NPS has this sort of option ...

0 Helpful

ammahend
VIP
VIP
In response to Adnan_Siddiqi

‎12-29-2018 01:19 PM - edited ‎12-29-2018 01:20 PM

Its Cisco's Identity Services Engine (ISE), you can learn more here. it is available as an OVA for free for 90 days for 100 devices, if you want to try.

https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html

 

 

-hope this helps-
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card