ISE query

janesh_abey · ‎02-14-2013

Hi all,

We know that for hosts support 802.1x we can ask the WLC to honour the VLAN tag returned by radius/ISE.

Is there a way to do dynamic vlan allocation with aaa override for WLANs which are not using 802.1x for authentication ie. PSK?

Thanks,

j

Chris Illsley · ‎02-15-2013

Hi,

If you're using PSK you're not going to be able to aaa overide as you are not using a AAA server.

Also, if you are using PSK how are you hoping to differentiate clients as they'll all be using the same PSK?

Thanks
Chris

janesh_abey · ‎02-15-2013

Hi Chris,

Ignore PSK that is a bad example. u are correct. there is no way to differentiate clients

thinking along the same lines, whats the use case with web-auth and ISE for guest implementation?

ISE can be utilised for AAA server.Interface groups can be used to segment the guest wlan to multiple subnets - the curly bit is to get the ISE to return a vlan/ acl/qos markings so the user can be assigned to a specific vlan/subnet.

As oppose to corporate users, device profiling is not possible for guest users .so in my opinion the workaround for dynamic vlan allocation to work would be based on user credentilas where the usergroups/userID and the respective VLAN/ACL/qos needs to be predefined on the ISE.

not 100% sure whether this is possible with ISE and whether this is the best way to achieve this..

..investigations continue 🙂

cheers,

J