Hi guys!

After reading the docs you suggested (thx a lot for the advices), we
almost implemented 90% of the new wireless IB-VG NAC infrastructure.

But it seems we still miss some details, so that we can't manage
completing the whole circle.

A VERY QUICK outline of the infrastructure:

- a client (without IP at the begin) ask for network connection to an
access point (which has a single SSID)

- the access point authenticates the client (EAP-PEAP MSCHAP v2 + WPA2)
and assign to it an IP belonging to a specific VLAN (according to
user/group association determined by IAS authentication)

- now wireless client has an IP and it should begin CAS/NAC
authentication (all the networks/VLANs assigned by AP are present into
CAS managed networks/VLAN)

And now the questions/doubts:

- the Aironet 1232 access point is connected to Cisco 2960 switch by a
trunked link (required to pass all VLANs managed by AP): how have we to
configure the Cisco 2960 port under NAC? Has it to be an uncontrolled or
a controlled/profiled port? This last option seems to be problematic,
considering that NAC/CAS require a VLAN associated to the controlled
port, and if the port in trunk we'd got a trunked port associated to a
specific native VLAN

- we need to managed different NAC controlled networks/VLAN: have we to
add all of them to CAS configuration (as managed networks/VLAN mapping)
as we've already done, or CAS needs to manage JUST ONE managed
subnet/mapped VLAN and then it's CAS that in any way will change client
IP/VLAN according to its rules?

I sincerely hope that questions/problems are clear (I tried to explain
them in the most clearer way possible): if U need an integration
concerning with not yet clear aspects, pls, let me know :-)))

Thx 4 your support,
Diego