Configuring Nac For Mbssid - Allen-Bradley Stratix 5100 User Manual

Configuring NAC for MBSSID

This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility by
using a network ID is not supported in this feature.
Before you attempt to enable NAC for MBSSID on your access points, you must
first have NAC working properly. This figure shows a typical network setup.
Figure 88 - Typical NAC Network Setup
Unrestricted
Access
VLAN/Network
For additional information, see the documentation for deploying NAC for Cisco
wireless networks.
Follow these steps to configure NAC for MBSSID on your access point:
1. Configure your network as shown in
2. Configure standalone access points and NAC-enabled client-EAP
authentication.
3. Configure the local profiles on the ACS server for posture validation.
4. Configure the client and access point to let the client to successful
authenticate by using EAP-FAST.
5. Verify that the client posture is valid.
6. Verify that the client associates to the access point and that the client is
placed on the unrestricted VLAN after successful authentication and
posture validation.
A sample configuration is shown below.
dot11 mbssid
dot11 vlan-name engg-normal vlan 100
dot11 vlan-name engg-infected vlan 102
dot11 vlan-name mktg-normal vlan 101
dot11 vlan-name mktg-infected1 vlan 103
dot11 vlan-name mktg-infected2 vlan 104
dot11 vlan-name mktg-infected3 vlan 105
!
dot11 ssid engg
vlan engg-normal backup engg-infected
authentication open
authentication network-eap eap_methods
!
dot11 ssid mktg
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Configuring Multiple SSIDs
Quarantine/
Restricted Access
VLAN/Network
ACS
Wireless laptops
Figure 88.
Chapter 8
297