Hi Team,
I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance. Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:
- Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for belonging to their specific AD group ABC.
- Client authenticating with registry key and in AD group XXX that passes authentication gets an IP address or subnet belonging to their specific AD group XXX.
Is this doable? Can we mapp users to specific DHCP scopes based on AD memberships, and if so how, what attributed need to be tagged or exchange between CPPM and MS AD and not sure if the WLC would also need any specific configs to enable this?
Clients---->WLC------>CPPM-----> MS AD ( groups ABC, XXXX, YYY )
currently using EAP-PEAP/MSCHAPv2
Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this? Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership?
Thanks...