Dynamic Interfaces

deanwebb · January 23, 2020, 05:27:25 PM

Help me out with a wireless solution...

This is on Cisco 5500 series WLCs...

Customer has a wireless SSID for IoT devices. Just about anything gets on to that if it has the pre-shared key. Devices do not support anything more strict than WPA2, so it has to stay that way. Problem is Windows users hopping on that SSID and doing their Internet there.

Rather than kick them off the SSID, customer asked about applying a dynamic interface. Forescout can do that, but I'm not 100% sure on all the stuff a dynamic interface is or does. When I read the Cisco docs, it sounds like the devices stay on the SSID, but they get a different VLAN, and that VLAN can have an ACL on it that blocks traffic to sensitive locations and the like. So, with the dynamic interface putting the improperly connected devices on a different VLAN, we can put a rule on the VLAN to prevent the Windows PCs from talking to the sensitive IoT devices, among other things.

Is that right, or are dynamic interfaces not supposed to be for that use case?

wintermute000 · January 24, 2020, 05:58:07 AM

That's how I read it as well, but as you know, I hate wireless and NAC even more. Ha

https://community.cisco.com/t5/other-wireless-mobility-subjects/single-ssid-with-multiple-vlans/td-p/1496917

Can't you give them per-device PSK or something fancy like that? (your, um, competition can :p, sure you'd have to reconfigure existing devices but you could then not do any dynamic interfaces or RADIUS-based VLAN assignment)

SimonV · January 24, 2020, 07:51:36 AM

A dynamic interface is just Cisco's name for a client-facing interface (i.e. not a management port or AP manager port).

Now, if you want to assign a dynamic VLAN to a client, the Airespace RADIUS dictionary only contains the string attribute "Airespace-Interface-Name".
There is no attribute for VLAN number, so you have to specify the interface name on the WLC instead.
It really is a great idea from Cisco, especially if you have dyslectic colleagues who don't give a *@"! about naming conventions.

deanwebb · January 24, 2020, 09:22:18 AM

Thanks Winter and Simon, good infos.

The assignment would be done either as a RADIUS proxy sending a CoA or as the actual RADIUS server or a direct SNMP RW command.

Can't do a zillion PSKs because we'd wind up back in the same boat when someone decides on his own that his device needs the access provided in a different VLAN. This also means no reconfiguration needed on the devices.

Dieselboy · January 27, 2020, 08:04:37 PM

What I have done here is set the VLAN ID on the WLC 2504 based on RADIUS group membership. So for example, if a visitor connects to the corp SSID then they get punted onto the guest VLAN anyway. I only have Windows AD/RADIUS and the WLC to do this, no ISE or anything fancy. So I have to have 2 x separate SSID's (one for corp, one for guest) in case employees want their phones on the wifi - then they can use the "guest" SSID manually.

I want to at some point move this to cert-auth so the cert puts them on the corp wifi.

Nerm · January 27, 2020, 08:27:43 PM

Yep you can do this. What I do for SSID's that have to be PSK based I use "device profiling" to punt devices to different vlans based on the device profile the WLC sees them as when they associate.

deanwebb · January 28, 2020, 09:10:48 AM

Thanks for more information on this, looks like exactly what we want to do. We did want to change SSIDs at first, but that's not an option. This is essentially the next best thing, as it can be made to produce the same result as switching an SSID.

Dynamic Interfaces

deanwebb

wintermute000

SimonV

deanwebb

Dieselboy

Nerm

deanwebb