Hello

I am looking for advice on how to configure a WLC to use dynamic VLAN assignment when the access points are in flexconnect with local switching.

We have a central 8510 and APs at several remote locations. Each AP is trunked locally at the site to a switch with a native VLAN for AP management and a 2nd VLAN for the corporate SSID. At the moment only these 2 VLANs are allowed over the trunk.

We have an ISE used for client authN and authZ on the WLAN

As it stands all corporate access works OK

We also have an external MDM server for allowing BYOD to access the network assuming they pass registration status & compliance checks defined on the MDM.

What I am trying to work out is how to configure is how to set up the WLC so that if a new client associates with the corporate SSID and is registered on the external MDM server but fails the compliance check. In this scenario I want to move the client into a quarantine VLAN and only allow access to defined IP addresses to allow it to download any patches needed to pass the compliance check.

Has anyone set up a WLC in this mode before ?

If so what needs to be done on the WLC, the AP trunk port, flexconnect groups etc

I cant see how to map the quarantine VLAN to the corporate SSID so that the ISE can force a CoA and move the client into the quarantine VLAN from the compliant VLAN

Any help much appreciated

Thanks

Martyn