Wireless Access

Reply
Highlighted
Frequent Contributor II

Version 6 question

Hi all,

 

My company still uses version 6 on its controllers. We’re looking to migrate of course to version 8 - but this will need some planning. 

in the mean time; I have tunnelled mode on my switches (3810) tunnelling traffic to the controller. 

I want to make multiple user roles on the controller that receives this tunnelled traffic. So I have one already that handles traffic a certain way, but I want to add hundreds more user roles where I can identify traffic by it’s source MAC address; then Clearpass tells that traffic on the controller to be in a different VLAN. Plan being to physically connect a new link from my controllers to a firewall and force the traffic that way. 

I'm thinking keep the layer 3 information on the firewall and tunnel everything to the controller and present it as layer 2 ... so we can control that traffic tightly for onward routing. 

There will be lots of new user roles to handle new devices that we can only identify by MAC address. Need to lock down this traffic with our controllers and firewall. 

Hopefully that makes sense? Not sure if the above is only possible with version 8?

 

thanks 


Accepted Solutions
Highlighted
Contributor I

Re: Version 6 question

I would have to agree. Sounds like a good plan.


Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMXv6/v8 | ACCP | ACSA

Please leave Kudos if this post helped you.

View solution in original post


All Replies
Highlighted
Contributor I

Re: Version 6 question

Yes, you will still have that functionality in version 8. Whether you perform MAC-Auth against RADIUS, or you set up some Server-Derived rules on the controller, you should be able to assign roles based on MAC.


Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMXv6/v8 | ACCP | ACSA

Please leave Kudos if this post helped you.
Highlighted
Frequent Contributor II

Re: Version 6 question

Great - thanks

 

is it something I can expand on in current version 6? I only have one role for current tunnelled node users at present ... I really want to make a new role that puts them in a new VLAN on the controller ... I can then add a physical cable to a firewall and make the cable a member of this new VLAN. So essentially I want hundreds of new roles on this new physical connection, to then let the firewall handle the traffic. Literally get the controller to talk on a new physical link with lots of user roles (defined by MAC address) within this new physical connection?

 

thanks 

Contributor I

Re: Version 6 question

Yes, you can tie a VLAN or a Pool of VLANS to a user role. Is there a reason why each device will have to have its own role? Is there something that's going to be specific to each device?


Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMXv6/v8 | ACCP | ACSA

Please leave Kudos if this post helped you.
Highlighted
Frequent Contributor II

Re: Version 6 question

Yes I wanted to get a role and identify those users by MAC address. It’s for different departments and some IOT type devices. I need each department to get its own subnet basically. So each one would have its own /24 subnet. I need to have them on individual subnets so it’s easy to handle all the roles and rules from the firewall as to where they can go. 

We have a large campus with hundreds of switches to trying to centralise the admin for this task. 

tunnelled mode with multiple user roles and new VLANs to a separate firewall seem like the best way to isolate all this traffic?

Highlighted
Contributor I

Re: Version 6 question

I would have to agree. Sounds like a good plan.


Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMXv6/v8 | ACCP | ACSA

Please leave Kudos if this post helped you.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: