12-16-2020 04:09 AM - edited 07-05-2021 12:55 PM
Hello everybody,
Might look a noob question : I'm trying to understand WLAN environment of a client but i'm lost a little bit
My understanding of WLANs is as follows :
WLAN created = linked to an interface, which will play the role of a DHCP relay and give the client connect to that specific WLAN a IP address from the same scope as the IP of the wlan interface
This client has ISE sever configured in all of his WLANs, and the above understanding is not applied at all. different rules applied with captive portal capabilities which are not mentioned anywhere in the WLC
Can you confirm that once that an ISE server is involved in the WLAN configuration, WLC config doesn't matter (authentication method and IP addressing )?
if there any document explaining that i'll be more than happy to understand it
Thank you
12-16-2020 04:23 AM
- Basically IP addressing 'resolving' is done through a dhcp(-relay) as you mention. Specifying an ise-radius server for the wlan >becomes the authentication method for clients, hence as being configured that way any contradiction vanishes.
M.
12-16-2020 06:20 AM - edited 12-17-2020 12:10 AM
Now I understand why the WLC config is not fully taken in consideration as all the policies (from authentication methods to IP addressing / vlans attribution) are all configured in the ISE
Thank you
12-16-2020 10:37 PM
WLC and WLAN Config does matter.
if the WLAN has Layer2 security configured (in your case using ISE) then the client will not be able to get IP Address until the L2 Authentication is done, while if the WLAN has L3 security configured then the client will get the IP Address then the Auth will happen from ISE in your case.
DHCP proxy can be enabled from the WLC globally from CONTROLLER > Advanced > DHCP or per interface from CONTROLLER > Interfaces > select the interface > DHCP Proxy mode.
If you disable proxy from the interface or globally then you need the next hop switch to have ip helper address command so can forward the DHCP to the DHCP server.
ISE can be configured to return to the WLC the interface name or the VLAN number that need to put the "authenticated" users on (this will need the WLAN to be configured with Allow AAA Override)
Hope that explain it all...
12-17-2020 12:08 AM - edited 12-17-2020 12:40 AM
Hello Grendizer ( nostalgic nickname :D)
Thank you for the explanation,
All the WLANs are L3 configured and pointing towards the ISE, all the interfaces have default configuration when it comes to "DHCP proxy mode", so I assume it's disabled (I don't have access to the WLC right now), it might be the ISE who does that process, here's my understanding : the machine should be apart of the AD domain first, then, the client uses his AD credentials, and the ISE decides where to put him based on policies already in place by security team (the IP address should be taken from which DHCP scope etc ...),
I noticed that there's some interfaces created in the WLC which have the same scope as the authenticated users (but those interfaces are not the ones used in the WLAN on which the users connect from), that's why my thought was that the ISE overrides maybe from which DHCP scope the user should take its IP (as you said, it defines the VLAN for the users, so, they will take IPs from the scope reserved for that VLAN)
You mentioned that (if the WLAN has L3 security configured then the client will get the IP Address then the Auth will happen from ISE in your case), so , before reaching to the ISE, from where the client gets its IP then? I'm pretty sure it's not the WLC because as I said before, the WLAN used uses an interface with different DHCP scope used in reality by the client
One last note, indeed, all the WLANs have "Allow AAA Override" enabled
12-17-2020 12:48 AM
12-17-2020 01:14 AM
ok thank you,I have one last question if you don't mind, are the flexconnect ACLs have any impact in this ISE deployment? as far as I know, it's used to route Data traffic to the nearest end, instead of routing everything to the WLC and then to the destination. based on the above detailed scenario, since all the policies are managed by the ISE, do you think the Flexconnect ACLs still do something ? I don't think so
Thank you
12-17-2020 01:30 AM
it's really hard to say without seeing the whole picture, maybe they are using Local-Split ACL which control what traffic is locally or centrally switched per WLAN so maybe it is needed after all....
12-17-2020 01:35 AM
all the APs are in the same AP group, and have Flexconnect enabled on them, I just don't know what Flexconnect ACLs stand for here (?)
Well thank you for all the answers, i'll rate them all of course
12-17-2020 02:36 AM
You made me think now for another possibility, you may have WLAN with L3 auth that uses ISE portal so users can type the AD username/pass in that case the ip address the client will get from the WLAN interface or in case of FlexConnect the local site subnet.
I guess the Flex ACL that’s being used is to determine which traffic is local and what traffic need to be sent to the WLC.
12-17-2020 03:12 AM
Before answering, I noticed no L3 is configured in all the WLANs ( production and guest WLANs), only L2 and AAA server defined (ISE)
"you may have WLAN with L3 auth that uses ISE portal so users can type the AD username/pass" : that's correct partially, this is the workflow but without L3 auth, they're sent to ISE, ISE verifies first if the machine used, is in the domain, and verifies the credentials of the user after, no portal is in place for production WLAN, just AD credentials... for guest users they need a generated portal username and password (generated by ISE admin), lobbyadmin of the WLC does nothing here as well
"in that case the ip address the client will get from the WLAN interface" : if you mean the interface the WLAN is using, that's not the case, the interface is in a different subnet from the one attributed to the client once authenticated
"I guess the Flex ACL that’s being used is to determine which traffic is local and what traffic need to be sent to the WLC." : this is the part I'm missing, those Acls existed before deployment of the ISE, now since ISE is there, I think that it has all the policies needed and the Flexconnect Acls are irrelevent. Based on the user authenticated , the ISE will place that client in a vlan and give DHCP infos from where he should get the IP (of that vlan of course), since I have no access to ISE, I'm afraid to make wrong assumptions and say that those ACLs are irrelevent, all the WLANs btw have AAA server (ISE) defined, no L3 config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide