View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0112 - ISE 1.2 Wireless 802.1X Authorization with FlexConnect (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video looks into Cisco ISE 1.2 wireless 802.1X authentication with FlexConnect AP. We will configure wireless AP and SSID to operate in central switching and local switching and compare authorization capability on ISE between the two modes. Since local switching mode does not support DACL, we will be configuring FlexConnect ACL and FlexConnect group and use dynamic VLAN assignment to place a wireless user on a VLAN with appropriate ACL.
Part 2 of this video deals with FlexConnect local switching mode and corresponding configuration changes on ISE and wireless LAN controller.
 
Topic:
  • Network Device
  • Network Device Group
  • Policy Element Result
    • Authorization (Downloadable ACL, Dynamic VLAN Assignment)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • WLC AP and SSID Configuration for FlexConnect
  • FlexConnect ACL
  • FlexConnect Group with ACL Mapping

Update: Version 7.5 supports per-client ACL in FlexConnect

From cisco.com
" In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.

In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied."

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

13 comments

Hi Metha,

I have a question, in the real system which i've configured DVA with FlexConnect Local Switching:
I'm notice that even i've not creat the interface Vlan 20 (with vlan id is 20) and just only add vlan id 20 to "AAA VLAN-ACL Mapping", then client connected and they will get ip address of vlan 20.

Idon't know where they can get IP address ? Do you have any idea?

Thanks

Do you have DHCP proxy enabled on the WLC? Who is the DHCP server and where is it located?

DHCP proxy is disabled. I'm using external DHCP, it's Windows Server 2012.

Thanks

Unless the DHCP server is sitting on VLAN 20, can't really see how user would be able to get an IP from that VLAN without interface VLAN 20 with helper-address. May be try to do packet capture on the AP port and look at the DHCP packets.

Oh my fault,

My Topology :
.........................................(ISE)
...........................................|
(Client)---(AP)---(SW)---(CoreSW)---(WLC)
...........................................|
......................................(DHCP)

(CoreSW) has VLAN 20 helper-address point to (DHCP). But i still don't know why i haven't creat interface VLAN20 on WLC and client still get ip address.

Ok.. That makes sense now. You don't need interface vlan on WLC for the VLAN assigned by DVA, only on the local L3 switch. 

So you mean after WLC received "VLAN 20 attribute" from ISE, WLC will request client's ip from CoreSW and assign to client? Am i wrong?

Thanks

Once DVA assign client to VLAN 20, the AP takes client traffic and drop them directly to VLAN 20. At this point the WLC is out of the picture. All user data, starting with DHCP request, will travel across VLAN 20 and hit the switch VLAN interface. If you do packet capture on the AP switchport, you should see the client DHCP request broadcast.

Thanks Metha, I'm all clear.

Hi Metha
I have a question, Can ISE 1.2 check out going traffic. Example : I have vlan 1250 and 3 host already belong to vlan 1250. I want to use ISE to check there compliance before allow that 3 host can go to my server in vlan 139. Thanks Metha.

You can enable 802.1X on switch interface and the hosts, have them authenticate and perform posture check and only when they are in compliance allow them access to server subnet. Please check out our ISE posture assessment videos for more detail.

So we need to configre CWA for guest to have internet access only
in HO APs mode is local and everything works fine
on branches APs mode is flexconnect doing local switching
so basically i have to follow the same thing you did in this videos to limit guests access in branches since DACL still not working just like the example in video?
what about internet ACL should we add one more line to it allowing traffic to ISE for redirection?
what about redirect ACL just add it to ap group under policies ?
we have ISE2.3 and WLC 8.3 is this limitations still exist ?
thx for the awesome content

As far as we know, you still need to do the same thing. FlexConnect ACL is separate from regular named ACL. You can potentially use the same name but a special ACL needs to be created under the FlexConnect Group.

Poll

Vote for the Next Video Series