I have a centralized WLC ver 126.96.36.199 in the data center. I need to integrate the WLC with my current NAC deployment; CCA ver 4.8.3 OOB virtual gateway.
The only way i found is to have for each certified vlan one SSID. Given that in my deployment each department is one certified vlan, this means that I can have only 16 departments maximum that can use my Wireless service, since that the the limitation on the WLC is 16 SSID.
I have looked over the CISCO website and on the internet for any document describing how to integrate the CISCO WLC with the CISCO NAC using one single SSID (e.g. SSID name Employees), which can hold all trusted / certified vlans, however I failed to find any.
Is there any way to have one SSID with multiple trusted vlans in an OOB virtual gateway NAC deployment? And if there is a way to have it user-role rather than port-based?
- you can use AP gropu feature on WLC. This way you can use multiple VLANs on even same SSID name.
- you can use aaa override to override the vlan to which clients are connecting. This needs your SSID to be intergrated with radius server and configure the radius server to assign specific VLANs to specific users. This needs AAA override enabled on the WLAN. Tony posted the config example for this in his above post.
Those links will be useful to you:
- http://tiny.cc/5rdkdw (this config example shows old image but it is very useful for illustrating the idea).
I hope the links explains to you all what you want to know
but note please that you are limited to up to 512 dynamic interfaces on WLC so if you have more than 512 VLANs this option may not fully work for you.
There are also limitation for number of APs per AP group depending on your hardware model. 5508 WLC for example can create up to 500 AP groups, not more. Having your run 7.2 I think you have new WLC hardware (5508, WiSM2..etc). which will usually support as much as 5508.
Hope this helps.
Rating useful replies is more useful than saying "Thank you"