A RADIUS NAC-enabled WLAN
supports Open Authentication and MAC filtering.
Radius NAC functionality does
not work if the configured accounting server is different from authentication
(ISE) server. You should configure the same server as the authentication and
accounting server in case ISE functionalities are used. If ISE is used only for
ACS functionality, the accounting server can be flexible.
When clients move from one
WLAN to another, the controller retains the client’s audit session ID if it
returns to the WLAN before the idle timeout occurs. As a result, when clients
join the controller before the idle timeout session expires, they are
immediately moved to RUN state. The clients are validated if they reassociate
with the controller after the session timeout.
Suppose you have two WLANs,
where WLAN 1 is configured on a controller (WLC1) and WLAN2 is configured on
another controller (WLC2) and both are RADIUS NAC enabled. The client first
connects to WLC1 and moves to the RUN state after posture validation. Assume
that the client now moved to WLC2. If the client connects back to WLC1 before
the PMK expires for this client in WLC1, the posture validation is skipped for
the client. The client directly moves to RUN state by passing posture
validation as the controller retains the old audit session ID for the client
that is already known to ISE.
When deploying RADIUS NAC in
your wireless network, do not configure a primary and secondary ISE server.
Instead, we recommend that you configure HA between the two ISE servers. Having
a primary and secondary ISE setup will require a posture validation to happen
before the clients move to RUN state. If HA is configured, the client is
automatically moved to RUN state in the fallback ISE server.
The controller software
configured with RADIUS NAC does not support a change of authorization (CoA) on
the service port.
Do not swap AAA server
indexes in a live network because clients might get disconnected and have to
reconnect to the RADIUS server, which might result in log messages to be
appended to the ISE server logs.
You must enable AAA override
on the WLAN to use RADIUS NAC.
WPA and WPA2 or dot1X must be
enabled on the WLAN.
During slow roaming, the
client goes through posture validation.
Guest tunneling mobility is
supported for ISE NAC–enabled WLANs.
VLAN select is not supported
Workgroup bridges are not
The AP Group over NAC is not
supported over RADIUS NAC.
With RADIUS NAC
enabled, the RADIUS server overwrite interface is not supported.
communication between client and server. We parse the DHCP profiling only once.
This is sent to the ISE server only once.
If the AAA
url-redirect attributes are expected from the AAA
server, the AAA override feature must be enabled on the controller.