https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406381#M229572 <P>hi,</P><P>&nbsp;</P><P>currently we have 9800 vwlc integrated with ISE. the requirement is that when mobile connects to SSID ((flexconnect SSID with Layer2 WPA2 and 802.1x), it can access only internet and should connect to internal resources except for dns and dhcp purpose.</P><P>&nbsp;</P><P>i tried following but nothing is working.</P><P>&nbsp;</P><P>1.configured acl (for testing acl is permit ip any any) on 9800vwlc and called this ACL using airspace-acl as well as filter id but after i apply it to authorization policy, user is not able to connect to SSID .</P><P>2. configured acl (for testing acl is permit ip any any) on 9800 and configure WLAN ACL (Configuration &gt; Policy &gt; Policy Profile &gt; Access Policies (tab)&gt; WLAN ACL) and point it to ACL configured on same WLC. and i am getting incorrect ACL error.</P><P>&nbsp;</P><P>is it possible to configure ACL per SSID or per user session when user is authenticated via 802.1x.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Naray</P><P>&nbsp;</P> Mon, 05 Jul 2021 20:19:48 GMT nareh84 2021-07-05T20:19:48Z https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406381#M229572 <P>hi,</P><P>&nbsp;</P><P>currently we have 9800 vwlc integrated with ISE. the requirement is that when mobile connects to SSID ((flexconnect SSID with Layer2 WPA2 and 802.1x), it can access only internet and should connect to internal resources except for dns and dhcp purpose.</P><P>&nbsp;</P><P>i tried following but nothing is working.</P><P>&nbsp;</P><P>1.configured acl (for testing acl is permit ip any any) on 9800vwlc and called this ACL using airspace-acl as well as filter id but after i apply it to authorization policy, user is not able to connect to SSID .</P><P>2. configured acl (for testing acl is permit ip any any) on 9800 and configure WLAN ACL (Configuration &gt; Policy &gt; Policy Profile &gt; Access Policies (tab)&gt; WLAN ACL) and point it to ACL configured on same WLC. and i am getting incorrect ACL error.</P><P>&nbsp;</P><P>is it possible to configure ACL per SSID or per user session when user is authenticated via 802.1x.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Naray</P><P>&nbsp;</P> Mon, 05 Jul 2021 20:19:48 GMT https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406381#M229572 nareh84 2021-07-05T20:19:48Z https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406630#M229588 <P>What version of code are you using?</P><P>&nbsp;</P><P>WLAN ACL is working fine for us on 17.5.1 - applied to the policy profile - WLAN IPv4 ACL on Access Policies tab on the GUI.</P><P>&nbsp;</P><P>On CLI:<BR />wireless profile policy &lt;policyname&gt;<BR />&nbsp;ipv4 acl &lt;acl-name&gt;</P> Fri, 21 May 2021 13:43:05 GMT https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406630#M229588 Rich R 2021-05-21T13:43:05Z https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406656#M229590 <P>hi,</P><P>&nbsp;</P><P>version is&nbsp;17.03.01</P> Fri, 21 May 2021 14:18:42 GMT https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406656#M229590 nareh84 2021-05-21T14:18:42Z https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406684#M229592 <P>Can't remember if we tried it on 17.3.1.</P><P>You could try 17.5.1 or at least 17.3.3.</P> Fri, 21 May 2021 15:07:40 GMT https://community.cisco.com/t5/wireless/9800-acl-implementation-per-ssid-or-per-user-session/m-p/4406684#M229592 Rich R 2021-05-21T15:07:40Z