Solved: Re: WLAN configuration

shaikh.zaid22 · ‎12-01-2022

Hello,

I have 9800 WLC configured with single WLAN and shared across all the org departments for corporate resource access.(Forescout NAC recently deployed)

recently we have segregated all the org departments into separate vlans and disallowed inter-vlan communication as part of compliance requirement.

Now, my requirement is, i need to create one or utilize the existing WLAN in such a way that when for instance if a finance user connects to the WLAN, the user should receive ip address from the same finance subnet range (say vlan 32). Similarly, i have to accomplish for all departments.

How shall i approach this use-case in the WLC configuration.

Need your guidance and assistance in this regards folks.

Haydn Andrews · ‎12-01-2022

802.1x Authentiated SSID with AAA Override

RADIUS server returning seperate VLAN ID dependant on the policy matched to identify which group a user is from.

Not a forescot NAC setup but here is the config guide for doing it with ISE the principles will be the same

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

If using local mode, need to ensure the VLANs are trunked to the 9800. Flexconnect need to ensure the VLANs are trunked to the AP and defined in the Flex Profile

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

View solution in original post

marce1000 · ‎12-01-2022

- Review this document : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/dhcp-for-wlans.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews · ‎12-01-2022

802.1x Authentiated SSID with AAA Override

RADIUS server returning seperate VLAN ID dependant on the policy matched to identify which group a user is from.

Not a forescot NAC setup but here is the config guide for doing it with ISE the principles will be the same

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

If using local mode, need to ensure the VLANs are trunked to the 9800. Flexconnect need to ensure the VLANs are trunked to the AP and defined in the Flex Profile

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

shaikh.zaid22 · ‎12-03-2022

Hi Haydn,

Thank you for the document. It really made me understand with all necessary configuration.

Just one more thing here, since we have users integrated via AD, and in this doc the users are created locally in ISE and Vlan was assigned manually in the user identity for Vlan 102 assignement here.

So via AD, how i can achieve this? Do i need to tweak the user settings in the AD user account details with specific Vlan X ?

shaikh.zaid22 · ‎12-26-2022

hi Haydn,

Thank you for the reference document. I was able to get it done successfully with Forescout NAC.

kakhan0345 · ‎04-29-2024

brother I am also facing the same with wlc9800, 802.1x and forescout, may I know how you sorted out ? Thanks

shaikh.zaid22 · ‎04-29-2024

This can be done on Forescout, after reading the department details of the connected user , it can move the user to respective vlan. This u can do after assessing the connected endpoint and configure the control action to move the user into proper vlan.