Security

Reply
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

Push quarantine VLAN to WLC for machine authenticated users before login

The CPPM configured to assign Quarantine VLAN to machine authenticated users, and assign the data VLAN to the users once they login (user authenticated and machine authenticated).

 

So based on the configured settings, before the user enter credentials to login to laptop, the laptop will be machine authenticated and assigned to the quarantine VLAN. And once user enters credentials, then the data VLAN will be assigned based on the assigned user role.

 

Now if the user password expired, then the system engineer will reset his password, so the user must be able to login to his laptop using the new password because the quarantine VLAN has access to AD server.

 

The above scenario is working for wired users “laptop assigned to quarantine VLAN before user enter credentials”, but it’s not working for wireless users “laptop not assigned to quarantine VLAN before user enter credentials”.

Although we use the same CPPM policy for wired and wireless setup.

And although in access tracker we can see that CPPM is pushing the quarantine VLAN to WLC.

 

So is there another required settings, or if there is any other workarounds.

 

Mahmoud
MVP
Posts: 952
Registered: ‎04-13-2009

Re: Push quarantine VLAN to WLC for machine authenticated users before login

Have you added CPPM to the "RFC 3576 servers" list on your AAA profile on the controller?

Do you also have the corresponding configuration on your CPPM? E.g. Enable RADIUS CoA: enabled for the controllers in the NAD settings.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II
Posts: 61
Registered: ‎06-27-2016

Re: Push quarantine VLAN to WLC for machine authenticated users before login

Yes both controller and CPPM configured for COA

Mahmoud
MVP
Posts: 510
Registered: ‎05-11-2011

Re: Push quarantine VLAN to WLC for machine authenticated users before login

Verify the port defined for RFC3576 for the WLC in CPPM - 1700 or 3799. 1700 is the default for WLC.

 

show radius coa statistics

show radius rfc3576 server statistics

 

... to verify if you get anything 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: