Dynamically anchor WLAN clients

laposilaszlo · ‎09-01-2025

Hi,

We have two SSID's, one corporate SSID with 8021x(EAP-TLS) and the second is Guest SSID anchored back to DMZ.

This is standard configuration present at around 1000 sites.

Company phones are managed by MDM and connect to corporate SSID doing EAP-TLS, so they are on the internal network.

We need to move the phones to some form of internet only network but keep the EAP-TLS authentication.

Would it be somehow possible to dynamically send the mobile devices across the mobility tunnel that already exist for the guest network, while they continue to connect to the corporate SSID and authenticate using EAP-TLS. Of course, the rest of the clients on the corporate network don't need to be tunneled back.

I am thinking about some dynamic vlan assignment during authentication that is sent from ISE forcing the mobile device traffic through the tunnel.

I know this sounds like since fiction, but did anyone ever manage to doi this or it is out of the question?

I am in search for a solution to this that is fast and doesn't need a major change at all our sites.

Thanks

balaji.bandi · ‎09-01-2025

We need to move the phones to some form of internet only network but keep the EAP-TLS authentication.

You can also bring back from BYOD or guest network to corporate, need to look what kind of infrastructure you have and need to do some testings in the control way.

If this new environment may be you take advantage of VN or segmentation or SGT kind of process.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help