Solved: Flexconnect with ISE

CSCO12400920 · ‎02-02-2015

Hi, I have a question. we are trying to implement flexconnect for our branch offices for the employee's WLAN, the guest WLAN will not be in flexconnect mode. My question is that my manager wants to have unique subnets for every branch in the Employee WLAN. By doing it this way I will have to create multiple Interfaces and tide it to the SSID per branch location. Is there other way around to do this without having to create multiple interfaces and WLANs?

Stephen Rodriguez · ‎02-02-2015

You do not need to create an interface for each location.

When you do FlexConnect configurations, you map the WLAN to the local VLAN ID on a per AP basis.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001101.html#d35947e1465a1635

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎02-02-2015

You do not need to create an interface for each location.

When you do FlexConnect configurations, you map the WLAN to the local VLAN ID on a per AP basis.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001101.html#d35947e1465a1635

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

CSCO12400920 · ‎02-06-2015

Stephen, thank you for replying to my post.

Sorry for no replying soon, I wanted to tested first before replying. I did map the WLAN to the local VLAN ID on an access point and it works,

My goal is:

corporate equipment will be assign to vlan 10
non-corporate equipment but AD user authentication is successful will be assign to vlan 11,

I wanted to accomplish all of this using one SSID and let ISE do the change of vlans according to Authorization policies, but I can't figure it out how to do it. When I the APs were in local mode, we used one single ssid "Employees" and ise put the employees in different subnet depending if it is corporate or not corporate devices. I was able to accomplish this by using two different authorization profiles in ISE that changes the Airespace-Interface-Name = employee-noncorp for Non-corporate devices, and Airespace-Interface-Name = employees for corporate devices. Since we are using vlan mapping on the AP how will I go to accomplish this? I have been searching for some info on how to do this, but I couldn't find anything related to what I am trying to do.

Thanks

Philip91 · ‎02-09-2015

Hey,

it´s quite easy. You can use the AP-Groups in your Radius Request to assign different VLAN per AP-Group per User Typ. That means in worst case two Radius Auth Policies per Branch. Good that we have rule based ;-).

Location A Corporate VLAN X

Location A non Corporate VLAN Y

Location B Corporate VLAN M

Location B non Corporate VLAN N

From the Call Station ID Type drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available:

IP Address
System MAC Address
AP MAC Address
AP MAC Address:SSID
AP Name:SSID
AP Name
AP Group
Flex Group
AP Location
VLAN ID

Note

The AP Name:SSID, AP Name, AP Group, Flex Group, AP Location, and VLAN ID options are added in the 7.4 release.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0101100.html

And to set the VLAN ID use:

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.

Hope that is what you need......

Kind regards

Philip

--> Pls rate useful responses <--