Security

The CPPM configured to assign Quarantine VLAN to machine authenticated users, and assign the data VLAN to the users once they login (user authenticated and machine authenticated).

 

So based on the configured settings, before the user enter credentials to login to laptop, the laptop will be machine authenticated and assigned to the quarantine VLAN. And once user enters credentials, then the data VLAN will be assigned based on the assigned user role.

 

Now if the user password expired, then the system engineer will reset his password, so the user must be able to login to his laptop using the new password because the quarantine VLAN has access to AD server.

 

The above scenario is working for wired users “laptop assigned to quarantine VLAN before user enter credentials”, but it’s not working for wireless users “laptop not assigned to quarantine VLAN before user enter credentials”.

Although we use the same CPPM policy for wired and wireless setup.

And although in access tracker we can see that CPPM is pushing the quarantine VLAN to WLC.

 

So is there another required settings, or if there is any other workarounds.

 

Have you added CPPM to the "RFC 3576 servers" list on your AAA profile on the controller?

Do you also have the corresponding configuration on your CPPM? E.g. Enable RADIUS CoA: enabled for the controllers in the NAD settings.

Yes both controller and CPPM configured for COA

Verify the port defined for RFC3576 for the WLC in CPPM - 1700 or 3799. 1700 is the default for WLC.

 

show radius coa statistics

show radius rfc3576 server statistics

 

... to verify if you get anything