1-13
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 1 Overview
Identity Networking
Identity Networking
Controllers can have the following parameters applied to all clients associating with a particular wireless
LAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security Policies, and default
Interface (which includes physical port, VLAN and ACL assignments).
However, the controllers can also have individual clients (MAC addresses) override the preset wireless
LAN parameters by using MAC Filtering or by Allowing AAA Override parameters. This configuration
can be used, for example, to have all company clients log into the corporate wireless LAN, and then have
clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security Policies, and Interface
(which includes physical port, VLAN and ACL assignments) settings on a per-MAC Address basis.
When Cisco UWN Solution operators configure MAC Filtering for a client, they can assign a different
VLAN to the MAC Address, which can be used to have operating system automatically reroute the client
to the management interface or any of the operator-defined interfaces, each of which have their own
VLAN, access control list (ACL), DHCP server, and physical port assignments. This MAC Filtering can
be used as a coarse version of AAA Override, and normally takes precedence over any AAA (RADIUS
or other) Override.
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively
be configured to return QoS
, DSCP, 802.1p priority tag values and ACL on a per-MAC Address basis.
Allow AAA Override gives the AAA Override precedence over the MAC Filtering parameters set in the
controller; if there are no AAA Overrides available for a given MAC Address, the operating system uses
the MAC Filtering parameters already in the controller. This AAA (RADIUS or other) Override can be
used as a finer version of AAA Override, but only takes precedence over MAC Filtering when Allow
AAA Override is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example) must
already be defined in the controller configuration.
In all cases, the operating system will use QoS
, DSCP, 802.1p priority tag values and ACL provided
by the AAA server or MAC Filtering regardless of the Layer 2 and/or Layer 3 authentication used.
Also note that the operating system only moves clients from the default Cisco UWN Solution WLAN
VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2
authentication. To configure WLANs, refer to Chapter 6.
Enhanced Integration with Cisco Secure ACS
The identity-based networking feature uses authentication, authorization, and accounting (AAA)
override. When the following vendor-specific attributes are present in the RADIUS access accept
message, the values override those present in the wireless LAN profile:
• QoS level
• 802.1p value
• VLAN interface name
• Access control list (ACL) name
To Next Page
Loading...
Need help?
General
