topic Re: Airespace ACL - Flexconnect AP in Network Access Control

Airespace ACL - Flexconnect AP

victguti — Tue, 23 Oct 2018 10:57:44 GMT

Hello,

I have an ISE 2.2 patch 10 full distributed deployment in which I am using Airespace-ACLs for wireless clients. It is works successfully except when client connect to a Flexconnect AP.

Do you know if is there any limitation to use airspace-acls with Flexconnect AP?

Regards.

Re: Airespace ACL - Flexconnect AP

anthonylofreso — Tue, 23 Oct 2018 11:30:22 GMT

As long as that ACL exists under FlexConnect ACLs on the WLC, then airespace ACL should work.

Re: Airespace ACL - Flexconnect AP

Arne Bier — Tue, 23 Oct 2018 12:03:26 GMT

For a long time I dealt only with regular ACL's and ISE was returning them via the Access-Accept. And then I had to work with Flex ACL's. Well for starters, they look different because there is no direction associated with them (inbound/outbound). You have to create them under FlexACL and not regular ACL. But in ISE you can refer to them by the regular means. However, I have found that when I used them for Guest Portal URL redirection, that ISE didn't need to (or have to) return this named Flex ACL at all. The ACL is hard-coded into the part of the WLC config that deals with Central Web Auth. As soon as the session is in CWA then the WLC applies the ACL as configured in the WLC - it has nothing to do with Radius anymore (even though this is a MAB auth flow!). And then the other oddity I found (and have yet to resolve) is how to send the Flex ACL to tell the WLC that it has to apply a different Flex ACL because the guest is now authenticated. It just refuses to accept the named Flex ACL I send it. I never got it to work (Cisco WLC 8.5.something)

Re: Airespace ACL - Flexconnect AP

anthonylofreso — Tue, 23 Oct 2018 12:12:04 GMT

Nice. Learned something new today.

Re: Airespace ACL - Flexconnect AP

paul — Tue, 23 Oct 2018 12:55:09 GMT

I think you still need to apply the ACL from my experience, but the key with FlexConnect is you need to push out the ACLs to the APs using your FlexConnect groups. You push them out as policy ACLs. Also for ACLs that you want to apply to apply to restrict traffic you need to push them out as well before they can get applied. Look at the ACL tab in the FlexConnect group and push them out, but don't apply them to any interface.

Re: Airespace ACL - Flexconnect AP

rajcisco — Tue, 23 Oct 2018 16:09:37 GMT

I face the same issue, FlexConnect ACL should push through FlexConnect groups, but the ACL send to AP which in turn applied to user is different from the original ACL created in Controller. Seems its related to a bug affecting flexconnect ACL (its not the case in central switch) and there is a hotfix OS code for the same. CISCO also planned to release stable version of OS including this fix in first week of Nov-2018

Kindly raise a TAC to get more information on the same

Re: Airespace ACL - Flexconnect AP

hslai — Fri, 26 Oct 2018 00:20:38 GMT

Adding to the others, please also check out the Appendix B of How To: Universal Wireless Controller (WLC) Configuration for ISE