ISE Posture in FlexConnect

i_mohamed · ‎05-09-2023

Hello All,

I have a customer who has many branches with 2 o 3 APs in each branch. They also already have ISE. They have specific requirements:

1- Local DHCP services in each branch (not centralized).

2- They need to locally switch/bridge the traffic inside the branch and not tunnel it centrally to the main site/DC/Controller.

3- They need to apply ISE Posture health check on clients using AnyConnect client.

With FlexConnect mode of APs (default is connected mode - i.e. in normal situation connection is up to centralized 9800 Controller).

Is this doable? if yes, what are the limitations? any issues with DHCP & VLAN assignment?

Thanks

Mark Elsen · ‎05-09-2023

1) and 2) are kind of standard features of 9800 when APs are configured in Flexconnect mode
3) Is in essence not related to wireless but Anyconnect , (but) have the ISE posturing policy enforced on the VPN server where the Anyconnect client connects to.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

i_mohamed · ‎05-10-2023

So, i saw in the WLC configuration guide the following constrain:

• FlexConnect APs do not forward the DHCP packets after Change of Authorization (CoA) and change of VLANs using 802.1x encryption. You must disconnect the client from the WLAN and reconnect the client to enable the client to get an IP address in the second VLAN.

I assume that the scenario will apply in my case here, since in the posture process the user connects initially to a VLAN (unhealthy) then connects to another VLAN when posture is ok.

n_nmanzoor · ‎05-21-2025

Hi

any response to the query raised by @i_mohamed ? I am too facing a similar situation; any solution would be much appreciated

thanks in advance!

Rich R · ‎05-22-2025

@n_nmanzoor Have you reviewed https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213924-flexconnect-wlan-with-802-1x-aaa-overrid.html?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

n_nmanzoor · ‎05-24-2025

thanks @Rich R for sharing the link - let me go through this and come back !