Cisco Cisco Aironet 1310 Access Point Bridge 릴리즈 노트

Release 12.3(8)JEA1 provides NAC support for MBSSID. A client, based on its health (software 
version, virus version, and so on) is placed on a separate VLAN that is specified to download the required 
software to upgrade the client to the software versions required to access the network. Four VLANs are 
specified for NAC support, one of which is the normal VLAN where clients having the correct software 
version are placed. The other VLANs are reserved for specific quarantine action and all infected clients 
are placed on one of these VLANs until the client is upgraded. 

Each SSID has up to 3 additional VLANs configured as “unhealthy” VLANs. Infected clients are placed 
on one of these VLANs, based on how the client is infected. When a client sends an association request, 
it includes its infected status in the request to the RADIUS server. The policy to place the client on a 
specific VLAN is provisioned on the RADIUS server.

When an infected client associates with an access point and sends its state to the RADIUS server, the 
RADIUS server puts it into one of the quarantine VLANs based on its health. This VLAN is sent in the 
RADIUS server Access Accept response during the dot1x client authentication process. If the client is 
healthy and NAC compliant, the RADIUS server returns a normal VLAN assignment for the SSID and 
the client is placed in the correct VLAN and BSSID.

Each SSID is assigned a normal VLAN, which is the VLAN on which healthy clients are placed. The 
SSID can also be configured to have up to 3 backup VLANs that correspond to the quarantine VLANs 
on which clients are placed based on their state of health. These VLANs for the SSID use the same 
BSSID as assigned by the MBSSID for the SSID.

The configured VLANs are different and no VLAN overlap within an SSID is allowed. Therefore, a 
VLAN can be specified once and cannot be part of 2 different SSIDs per interface.

Quarantine VLANs are automatically configured under the interface on which the normal VLAN is 
configured. A quarantine VLAN inherits the same encryption properties as that of the normal VLAN. 
VLANs have the same key/authentication type and the keys for the quarantine VLANs are derived 
automatically.

Dot11 sub-interfaces are generated and configured automatically along with the dot1q encapsulation 
VLAN (equal to the number of configured VLANs). The sub-interfaces on the wired side is also 
configured automatically along with the bridge-group configurations under the FastEthernet0 
sub-interface.

When a client associates and the RADIUS server determines that it is unhealthy, the server returns one 
of the quarantine NAC VLANs in its RADIUS authentication response for dot1x authentication. This 
VLAN should be one of the configured backup VLANs under the client’s SSID. If the VLAN is not one 
of the configured backup VLANs, the client is disassociated.

Data corresponding to the all the backup VLANs are sent and received using the BSSID that is assigned 
to the SSID. Therefore, all clients (healthy and unhealthy) listening to the BSSID corresponding the the 
SSID wake up. Based on the multicast key being used corresponding to the VLAN (healthy or 
unhealthy), packet decrypting takes place on the client. Wired side traffic is segregated because different 
VLANs are used, thereby ensuring that traffic from infected and uninfected clients do not mix.

A new keyword, backup, is added to the existing vlan <name> | <id> under dot11 ssid <ssid> as 
described below:

vlan <name>|<id> [backup <name>|<id>, <name>|<id>, <name>|<id>

This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility using network ID is not 
supported in this feature.