Hi guys! After reading the docs you suggested (thx a lot for the advices), we almost implemented 90% of the new wireless IB-VG NAC infrastructure.
But it seems we still miss some details, so that we can't manage completing the whole circle. A VERY QUICK outline of the infrastructure: - a client (without IP at the begin) ask for network connection to an access point (which has a single SSID) - the access point authenticates the client (EAP-PEAP MSCHAP v2 + WPA2) and assign to it an IP belonging to a specific VLAN (according to user/group association determined by IAS authentication) - now wireless client has an IP and it should begin CAS/NAC authentication (all the networks/VLANs assigned by AP are present into CAS managed networks/VLAN) And now the questions/doubts: - the Aironet 1232 access point is connected to Cisco 2960 switch by a trunked link (required to pass all VLANs managed by AP): how have we to configure the Cisco 2960 port under NAC? Has it to be an uncontrolled or a controlled/profiled port? This last option seems to be problematic, considering that NAC/CAS require a VLAN associated to the controlled port, and if the port in trunk we'd got a trunked port associated to a specific native VLAN - we need to managed different NAC controlled networks/VLAN: have we to add all of them to CAS configuration (as managed networks/VLAN mapping) as we've already done, or CAS needs to manage JUST ONE managed subnet/mapped VLAN and then it's CAS that in any way will change client IP/VLAN according to its rules? I sincerely hope that questions/problems are clear (I tried to explain them in the most clearer way possible): if U need an integration concerning with not yet clear aspects, pls, let me know :-))) Thx 4 your support, Diego
