Subject: | |
From: | |
Reply To: | |
Date: | Thu, 7 May 2009 15:39:29 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi guys!
After reading the docs you suggested (thx a lot for the advices), we
almost implemented 90% of the new wireless IB-VG NAC infrastructure.
But it seems we still miss some details, so that we can't manage
completing the whole circle.
A VERY QUICK outline of the infrastructure:
- a client (without IP at the begin) ask for network connection to an
access point (which has a single SSID)
- the access point authenticates the client (EAP-PEAP MSCHAP v2 + WPA2)
and assign to it an IP belonging to a specific VLAN (according to
user/group association determined by IAS authentication)
- now wireless client has an IP and it should begin CAS/NAC
authentication (all the networks/VLANs assigned by AP are present into
CAS managed networks/VLAN)
And now the questions/doubts:
- the Aironet 1232 access point is connected to Cisco 2960 switch by a
trunked link (required to pass all VLANs managed by AP): how have we to
configure the Cisco 2960 port under NAC? Has it to be an uncontrolled or
a controlled/profiled port? This last option seems to be problematic,
considering that NAC/CAS require a VLAN associated to the controlled
port, and if the port in trunk we'd got a trunked port associated to a
specific native VLAN
- we need to managed different NAC controlled networks/VLAN: have we to
add all of them to CAS configuration (as managed networks/VLAN mapping)
as we've already done, or CAS needs to manage JUST ONE managed
subnet/mapped VLAN and then it's CAS that in any way will change client
IP/VLAN according to its rules?
I sincerely hope that questions/problems are clear (I tried to explain
them in the most clearer way possible): if U need an integration
concerning with not yet clear aspects, pls, let me know :-)))
Thx 4 your support,
Diego
|
|
|