topic Re: Wireless Authentication and dACLs in Wireless

Wireless Authentication and dACLs

Rendraska — Mon, 05 Jul 2021 17:20:12 GMT

Hello.

I need help. Right now I have a cisco WLC working with ISE. Right now users using mobile/laptop when they want to authenticate, they just need to input their username and password after clicking the SSID (using 802.1x authentication).

Now, my client ask me to make changes.

1. Authentication will be going through a web/captive portal. Sounds simple enough.

2. Each user will be limited on what they can access. This is the problem.

What I'm thinking is, I make a dACL on ISE and attach it to the user as a custom parameters. Is that possible without the client having to install any programs? From my experience, I've made this one but for VPN and the client has to use a client program in their laptop to login. My question is, can I implement this in standard wireless setup as well, but without a client program for the mobile phone/laptop/tablet?

Aside from that, is there any other solution? I've read I can also create ACLs in WLC but I never done that before.

Thank you in advance.

Re: Wireless Authentication and dACLs

Sathiyanarayanan Ravindran — Tue, 07 May 2019 07:17:05 GMT

Yes, But the ACL has to be created in the WLC and the ACL name has to be configure on the Authorization policy results.

On the Local Mode APs:

You have to create ACL on the WLC by going to the Security --> Access Control List. For an example if you are configuring ACL name called ProjectUserAccess.

WLC Configuration if Local Mode APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.

On the Flexconnect APs:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs

WLC Configuration if Flexconnect APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
In the AP you have to go to Flexconnect --> External WebAuth ACL --> Policies and select the policy ACL which you want to apply and add it.

WLC Configuration if you have Flexconnect AP group:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs
On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
Wireless --> FlexConnect Groups --> Open the Group where the APs are there, then go to ACL Mapping --> Policies and the ACLs.

ISE Configuration:

On the Authorization result profile you have to call the ACL name ProjectUserAccess on Airespace ACL Name.

Re: Wireless Authentication and dACLs

Haydn Andrews — Tue, 07 May 2019 07:19:12 GMT

The WLC wont support a dACL.

You have to preconfigure the named ACL on the WLC, and ISE will send the name. The name should be identical in the ISE policy manger and the WLC.

you can do named ACLs without client applications

the other option would be to change the client to different interfaces/ vlans where they have the restrictions on them.

The WLAN will need AAA override enabled for both options

Re: Wireless Authentication and dACLs

Rendraska — Tue, 07 May 2019 09:51:37 GMT

Nice. Thank you for the solution. I'll try it out later.

Re: Wireless Authentication and dACLs

Rendraska — Tue, 07 May 2019 09:52:18 GMT

OK, thank you for the reply. I'll try the other option too.