FlexConnect WLAN TrustSec Configuration Question/Design

austinkuklok35 · ‎10-23-2024

Hello Everyone,

Curious as how other people are handling flexConnect within a TrustSec environment. We are currently using 9300 Switches, 9800 WLCS, and 9120AX access points.

We currently have ISE invoking NEAT on all of our APs doing FlexConnect and they are authenticating to the wired network using 802.1x. We use FlexConnect mode at a lot of our smaller sites (5-20aps,10-150 clients), assume that we can't use local mode. Our larger sites are already configured for inline tagging across the wired and wireless networks (Local Mode) and we are not using SXP anywhere.

So my question then is how are you configuring this part of your environment for trustsec are you using the SXP option or are there other ways? Multi-auth at the switchport, Local Authentication at the AP, etc... I am a little stumped on this at the moment as I would prefer not to have to use SXP.

ahollifield · ‎10-24-2024

What do you mean here? Can you restate your question? How should you assign a tag to the FlexConnect AP itself or the clients behind it?

austinkuklok35 · ‎10-24-2024

It would be for the clients behind the AP. The AP itself is already tagged. Clients behind the AP are doing 802.1x exclusively.

So to rephrase it would be how do you enforce the SGACLS? Can you do it at the switch port instead of at the AP?

ahollifield · ‎10-24-2024

Got it, then yeah just assign the SGT with the ISE authz result. I’m not aware of it being any different for FlexConnect use-cases.

ahollifield · ‎10-24-2024

Enforcement would be just like any other enforcement. It would occur at the first point in the network that knows the context of both source and destination tags, typically the final egress switch. https://cs.co/ise-berg#trustsec
https://www.youtube.com/watch?v=KKbvocNPaOQ