Cisco Cisco Aironet 1200 Access Point

Follow these steps to configure NAC for MBSSID on your access point:

Configure your network as shown in 

.

Configure standalone access points and NAC-enabled client-EAP authentication.

Configure the local profiles on the ACS server for posture validation.

Configure the client and access point to allow the client to successful authenticate using EAP-FAST.

Ensure that the client posture is valid.

Verify that the client associates to the access point and that the client is placed on the unrestricted VLAN 
after successful authentication and posture validation.

A sample configuration is shown below.

dot11 mbssid

dot11 vlan-name engg-normal vlan 100

dot11 vlan-name engg-infected vlan 102

dot11 vlan-name mktg-normal vlan 101

dot11 vlan-name mktg-infected1 vlan 103

dot11 vlan-name mktg-infected2 vlan 104

dot11 vlan-name mktg-infected3 vlan 105

!

dot11 ssid engg

vlan engg-normal backup engg-infected

authentication open 

authentication network-eap eap_methods 

!

dot11 ssid mktg

vlan mktg-normal backup mktg-infected1, mktg-infected2, mktg-infected3

authentication open 

authentication network-eap eap_methods 

!

interface Dot11Radio0

!

encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD transmit-key

encryption vlan engg-normal mode ciphers wep40 

!

encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC transmit-key

encryption vlan mktg-normal mode ciphers wep40 

!

ssid engg

!

ssid mktg

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!