Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1753
Views
40
Helpful
7
Replies

WLC Blocking

workmen
Level 1
Level 1

‎03-05-2022 03:34 AM

Hi All, 

How can I know which 3rd party device is causing the blocking in WLC, there is a description here that it is blockedbyFS.

Is there a way that I can know which FS is causing this? I am assuming this is a forescout because there was an integration made between forescout and WLC via snmpv3. I just want to be sure if a 3rd party is capable of doing it. Please see screenshot below

 

TIA, 

Tim

 

Forescout blocking.jpg

7 Replies 7

marce1000
VIP
VIP

‎03-05-2022 04:54 AM

 

                                         >... I am assuming this is a forescout because 

 - The status BlockbyFS seems rather descriptive indeed (FS=forescout) , are you using FS as a NAC-policy service (network access control). Or ISE or other ? If FS are NAC-policies correct ? If Radius is used , check for authenticating details on the radius server too  ? Normally this is not related to SNMP(v3)

                                    Use , for instance an open-SSID as test to verify that basic wireless can work (e.g.)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

workmen
Level 1
Level 1
In response to marce1000

‎03-05-2022 07:39 PM

yes FS is used as NAC. I will verify it with my team

 

Thank you very much

MHM Cisco World
VIP
VIP

‎03-05-2022 06:55 AM

 

Follow

Arshad Safrulla
VIP Alumni
VIP Alumni

‎03-05-2022 10:57 AM

Yes, Provided that you give SNMP write access to ForceScout NAC it can add MAC addresses to Cisco WLC's. I remember this was working only in AierOS WLC's. Forcescount will perform something similar to ISE profiling (compliance check) and if it fails NAC will automatically add the MAC address to disabled clients. 

But for the newer 9800's they required a different level of access, as I remember they wanted an user account in the WLC with CLI access to add the MAC addresses to block list. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

workmen
Level 1
Level 1
In response to Arshad Safrulla

‎03-05-2022 07:41 PM

yes, the currently deployed APs are Cisco AP 3600 and 3700, we have a 9120 ax ap but it runs on vwlc as of now because the 9800 is under VA Scan.

Thank You very much

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to workmen

‎03-06-2022 07:43 PM

So I believe you have your answer then. Just heard from our security team that when you integrate 9800’s with forcescout you need write access to CLI. SNMP write access will not work with 9800’s.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

alirafaleiro
Level 1
Level 1

‎03-06-2022 01:27 AM - edited ‎03-18-2022 11:25 PM

The main function of a traditional wireless LAN controller (WLC) is to configure wireless access points (AP) that connect to it locally.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card