Solved: Cisco 9800-CL - CoA with FLEX

przemyslaw.wieczorek · ‎01-18-2023

Hi all,

I'm trying to migrate from WLC 5520 to 9800-CL and I need to create WLAN with CoA and it confused me a little bit.

I have all WLANs which use FLEX only. Now for example, I have WLAN 1 which FLEX is configured to use VLAN 100. But I've also devices that connects to that WLAN and based on ISE configuration and CoA they are switched to VLAN 4. How to configure this on 9800?

Is it Policy Profile > "Access Policies" > VLAN > here place both VLANs 4,100 as VLAN group ? Then do the rest of config that goes with CoA or maybe it should be done differently?

Thank you for all hints.

Arshad Safrulla · ‎01-30-2023

You will add VLAN 4 and VLAN 100 under the Flex profile. You can have VLAN100 assigned to policy profile, once the WLC receives the COA it will change the VLAN of the device.

wireless profile policy BBBBBBBB-PP
aaa-override
accounting-list ISE-Accounting
no central association
no central dhcp
no central switching
no exclusionlist
idle-timeout 43200
ipv4 dhcp required
nac
radius-profiling
session-timeout 43200
vlan 100
no shutdown

!

wireless profile flex BBBBBBBBB_FP
acl-policy POSTURE-REDIRECT
central-webauth
no arp-caching
local-auth radius-server-group ISE
native-vlan-id 149
vlan-name Quarantine
vlan-id 326
vlan-name Wireless
vlan-id 100

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

przemyslaw.wieczorek · ‎01-19-2023

I've used Cisco TAC Tool - WLC Config Converter, and it looks that configuration regarding CoA is an "unmap config". So I guess it is a case of testing different approaches with redirections and ACLs on FLEX to get that what I currently have on 5520.

marce1000 · ‎01-19-2023

- Note that when testing you can always review the 9800-CL configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎01-29-2023

When you say flex do you mean flex local-switching?
If so then remember to define the VLANs in your flex profile.
And with CoA enabled the vlan config should just get applied.
There's a whole guide for this at https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213924-flexconnect-wlan-with-802-1x-aaa-overrid.html

And 9800 flexconnect in general: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Arshad Safrulla · ‎01-30-2023

You will add VLAN 4 and VLAN 100 under the Flex profile. You can have VLAN100 assigned to policy profile, once the WLC receives the COA it will change the VLAN of the device.

wireless profile policy BBBBBBBB-PP
aaa-override
accounting-list ISE-Accounting
no central association
no central dhcp
no central switching
no exclusionlist
idle-timeout 43200
ipv4 dhcp required
nac
radius-profiling
session-timeout 43200
vlan 100
no shutdown

!

wireless profile flex BBBBBBBBB_FP
acl-policy POSTURE-REDIRECT
central-webauth
no arp-caching
local-auth radius-server-group ISE
native-vlan-id 149
vlan-name Quarantine
vlan-id 326
vlan-name Wireless
vlan-id 100

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

przemyslaw.wieczorek · ‎01-30-2023

I will check how this will work asap.

przemyslaw.wieczorek · ‎04-26-2023

That worked. I also use ACL in which name I made a typo and received log that ACL don't exist. Corrected that and all started to work Thank you.