7-14
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter7 Configuring Multiple SSIDs
NAC Support for MBSSID
NAC Support for MBSSID
Networks must be protected from security threats, such as viruses, worms, and spyware. These security
threats disrupt business, causing downtime and continual patching. Endpoint visibility and control is
needed to help ensure that all wired and wireless devices attempting to access a network meet corporate
security policies. Infected or vulnerable endpoints need to be automatically detected, isolated, and
cleaned.
NAC is designed specifically to help ensure that all wired and wireless endpoint devices (such as PCs,
laptops, servers, and PDAs) accessing network resources are adequately protected from security threats.
NAC allows organizations to analyze and control all devices coming into the network. By ensuring that
every endpoint device complies with corporate security policy and is running the latest and most relevant
security protections, organizations can significantly reduce or eliminate endpoint devices as a common
source of infection or network compromise.
WLANs need to be protected from security threats such as viruses, worms, and spyware. Both the NAC
Appliance and the NAC Framework provide security threat protection for WLANs by enforcing device
security policy compliance when WLAN clients attempt to access the network. These solutions
quarantine non-compliant WLAN clients and provide remediation services to help ensure compliance.
A client, based on its health (software version, virus version, and so on) is placed on a separate VLAN
that is specified to download the required software to upgrade the client to the software versions required
to access the network. Four VLANs are specified for NAC support, one of which is the normal VLAN
where clients having the correct software version are placed. The other VLANs are reserved for specific
quarantine action and all infected clients are placed on one of these VLANs until the client is upgraded.
Each SSID has up to 3 additional VLANs configured as “unhealthy” VLANs. Infected clients are placed
on one of these VLANs, based on how the client is infected. When a client sends an association request,
it includes its infected status in the request to the RADIUS server. The policy to place the client on a
specific VLAN is provisioned on the RADIUS server.
When an infected client associates with an access point and sends its state to the RADIUS server, the
RADIUS server puts it into one of the quarantine VLANs based on its health. This VLAN is sent in the
RADIUS server Access Accept response during the dot1x client authentication process. If the client is
healthy and NAC compliant, the RADIUS server returns a normal VLAN assignment for the SSID and
the client is placed in the correct VLAN and BSSID.
Each SSID is assigned a normal VLAN, which is the VLAN on which healthy clients are placed. The
SSID can also be configured to have up to 3 backup VLANs that correspond to the quarantine VLANs
on which clients are placed based on their state of health. These VLANs for the SSID use the same
BSSID as assigned by the MBSSID for the SSID.
The configured VLANs are different and no VLAN overlap within an SSID is allowed. Therefore, a
VLAN can be specified once and cannot be part of 2 different SSIDs per interface.
Quarantine VLANs are automatically configured under the interface on which the normal VLAN is
configured. A quarantine VLAN inherits the same encryption properties as that of the normal VLAN.
VLANs have the same key/authentication type and the keys for the quarantine VLANs are derived
automatically.
Dot11 sub-interfaces are generated and configured automatically along with the dot1q encapsulation
VLAN (equal to the number of configured VLANs). The sub-interfaces on the wired side is also
configured automatically along with the bridge-group configurations under the FastEthernet0
sub-interface.