12-01-2022 10:12 AM
Hello,
I have 9800 WLC configured with single WLAN and shared across all the org departments for corporate resource access.(Forescout NAC recently deployed)
recently we have segregated all the org departments into separate vlans and disallowed inter-vlan communication as part of compliance requirement.
Now, my requirement is, i need to create one or utilize the existing WLAN in such a way that when for instance if a finance user connects to the WLAN, the user should receive ip address from the same finance subnet range (say vlan 32). Similarly, i have to accomplish for all departments.
How shall i approach this use-case in the WLC configuration.
Need your guidance and assistance in this regards folks.
Solved! Go to Solution.
12-01-2022 02:15 PM
802.1x Authentiated SSID with AAA Override
RADIUS server returning seperate VLAN ID dependant on the policy matched to identify which group a user is from.
Not a forescot NAC setup but here is the config guide for doing it with ISE the principles will be the same
If using local mode, need to ensure the VLANs are trunked to the 9800. Flexconnect need to ensure the VLANs are trunked to the AP and defined in the Flex Profile
12-01-2022 10:20 AM
- Review this document : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/dhcp-for-wlans.html
M.
12-01-2022 02:15 PM
802.1x Authentiated SSID with AAA Override
RADIUS server returning seperate VLAN ID dependant on the policy matched to identify which group a user is from.
Not a forescot NAC setup but here is the config guide for doing it with ISE the principles will be the same
If using local mode, need to ensure the VLANs are trunked to the 9800. Flexconnect need to ensure the VLANs are trunked to the AP and defined in the Flex Profile
12-03-2022 02:15 AM
Hi Haydn,
Thank you for the document. It really made me understand with all necessary configuration.
Just one more thing here, since we have users integrated via AD, and in this doc the users are created locally in ISE and Vlan was assigned manually in the user identity for Vlan 102 assignement here.
So via AD, how i can achieve this? Do i need to tweak the user settings in the AD user account details with specific Vlan X ?
12-26-2022 06:35 AM
hi Haydn,
Thank you for the reference document. I was able to get it done successfully with Forescout NAC.
04-29-2024 04:50 AM
brother I am also facing the same with wlc9800, 802.1x and forescout, may I know how you sorted out ? Thanks
04-29-2024 07:08 AM
This can be done on Forescout, after reading the department details of the connected user , it can move the user to respective vlan. This u can do after assessing the connected endpoint and configure the control action to move the user into proper vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide