Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
4
Helpful
5
Replies

How to configure a WLAN where clients are moved to different VLANs

RYAN PAUL
Level 1
Level 1

‎06-21-2018 08:50 AM

Good morning,

I'm relatively new to ISE, so please bear with me.

I work in a hospital where we have 1 WLAN dedicated to wireless medical devices (wireless x-ray units) which authenticate to a Cisco 5508 WLC using WPA2-PSK. The WLAN is mapped to VLAN 7. 

We are going to be adding a large number of new medical devices (wireless pain pumps and telemetry equipment) but they need to be mapped to a different vlan.  The new devices also support WPA2-PSK (existing and new do not support 802.1x).  I don't want to create another SSID just for these devices as we are trying to cut down on the number of SSIDs in production.  How can I configure ISE to put the new devices into vlan 604 but keep the existing devices in vlan 7 while using 1 SSID?

The WLC is running 8.5.131 and have a mixture of 3702i and 3802i APs

Thanks,

Ryan

0 Helpful
5 Replies 5

Craig Hyps
Level 10
Level 10

‎06-21-2018 09:36 AM

ISE can return authorizations to WLC based on Airespace-WLAN-Id attribute and you handle the mapping in the infra.  Of course, you would need to reconcile subnet assignments.  Another option is to authorize to a specific Airespace-Interface-Name which is linked to same or different IP address space which is then linked to a specific infra VLAN.

paul
Level 10
Level 10

‎06-21-2018 07:40 PM

If your new VLAN is 604 everywhere you can also just assign VLAN 604 to the authorization result.  If you are doing FlexConnect you will need to make sure VLAN 604 exists on the APs.

nikhilcherian
Level 5
Level 5

‎06-22-2018 11:20 AM

As you are using WPA2/PSK & the devices don't support dot1x, you will have to try with mac filtering in the ISE.

Can you try to create a MAB policy for new medical equipment in the ISE & push the new VLAN in the MAB policy

The default MAB policy will not push any VLAN back to the Wireless controller & will authenticate the existing medical equipment

plz note :- mac filtering authentication is not supported with flex connect local authentication

hslai
Cisco Employee
Cisco Employee

‎06-22-2018 06:06 PM

I agreed with all three comments.

You might also consider to combine it with Identity PSK Feature (and/or Cisco ISE & WLC - WPA2-PSK WLAN: Per-Device | Cisco Communities).

For non-flexconnect, the WLC needs to have an interface residing on VLAN 604 for the override to work.

RYAN PAUL
Level 1
Level 1

‎06-25-2018 05:11 AM

Thanks everyone!  I really appreciate all of your help. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents