topic Re: WLC C9800 AirSpace ACL does not get applied in Wireless

WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Wed, 26 Jan 2022 14:56:51 GMT

Hello Community

i've amazing misbehavour with scenario where i need to restrict vast majority of clients of locally switched SSID toward sensitive subnet while allowing specific clients to access this subnet. for this to work i've configured ACL denying IP to this subnet & allowing everything else on the WLC & configured 2 AuthZ policies on ISE: 1st match restriction & apply result with ACL-name ; 2nd match specific clients attributes & doesnt apply any restrictions. The issue i met the ACL never gets applied to 1st case client session...
i was trying Filter-ID attribute, i was trying AirSpaceACL checkbox in AuthZ profile with always the same result - ACL doesnt get applied.

I have AuthZ method list name configured on the WLC also coded as Method-List AV pair in the the AuthZ profile & all the prerequisites met for the scenario to work but...

I've opened TAC case running since 1w+ already w/o any progress with all verifications from TAC side implemented that's why i decided to ask community if anyone ever met such n issue.

WLC runs 17.3.3, ISE 2.7 patch 6, APs r in flexconnect mode & SSID is locally switched. Any idea pls?

Re: WLC C9800 AirSpace ACL does not get applied

Scott Fella — Wed, 26 Jan 2022 15:17:21 GMT

Have you opened the TAC case with the ISE team or the wireless team. You are better off making sure they both have a look. I haven't tried a dACL using FlexConnect, but wouldn't it be easier to have two vlan's and then use rules to place a device on on or the other vlan? Any way's, when I do any testing, I always have to play with rules to ensure a rules catches what I need. Maybe what the controller is sending back isn't being read by ISE. Thats when you might have to look for a different way to identify these devices.

Re: WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Wed, 26 Jan 2022 15:30:26 GMT

Hi Scott

TAC case is only in wireless team. The same is working on the AIR-OS w/o any problem.

we dont use dACL in this scenario & creation of separate SSID/VLAN is not n option.

Not sure about what WLC tells ISE during AuthZ phase, but debug on WLC shows ISE communicates AVs properly, & at the end WLC just omits any references to what it was doing with ACL & mumbling something about AuthZ Method-List it received.

2022/01/20 09:18:31.000165 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027] - authc_list: DOT1x_auth_ISE

2022/01/20 09:18:31.000167 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027] - authz_list: Not present under wlan configuration

2022/01/20 09:19:12.879716 {wncd_x_R0-0}{2}: [auth-mgr] [18316]: (info): [5076.af47.945b:capwap_90000027] User profile is to be applied. Authz mlist is not present, Authc mlist DOT1x_auth_ISE ,session push flag is unset

Re: WLC C9800 AirSpace ACL does not get applied

Scott Fella — Wed, 26 Jan 2022 15:38:30 GMT

I wouldn't ever compare AireOS and IOS... things are just not the same and thats from my experience. From what you stated, that tells me that the rules work for AireOS, so shouldn't be an issue (?) with the 9800's but you never know. Sorry but I haven't had to apply any acl's for our SSID's, but it would be interesting to find out what the solution is.

Re: WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Wed, 26 Jan 2022 15:45:32 GMT

of course, IOS-XE is not n AIR-OS that's particularly dACL r not recommended on the IOS-XE at all & for AirSpace ACL to work one needs to configure AuthZ method-list AV in the AuthZ-profile on ISE etc etc etc. what i wanted to say that whatever dynamic ACL application approach one chooses in AIR-OS case it will work if properly (meaning considering all prerequisites) configured on the WLC & ISE. it's totally not the case for IOS-XE for wireless...
surely will keep tread updated with Cisco TAC's findings...

Re: WLC C9800 AirSpace ACL does not get applied

Arshad Safrulla — Wed, 26 Jan 2022 17:25:22 GMT

Can you post your Flex profile? Did you push the ACL to the AP?

I would also like to know whether you have enabled central authentication under Policy profile or local authentication directly from AP? (NAD's are WLC or AP's in WLC?)

Also note only exteneded ACL's are supported by Flex AP's. Also you can do a RA trace for a client while connecting to this SSID to see whether the Radius server is sending required parameters.

Re: WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Wed, 26 Jan 2022 17:50:47 GMT

Hi Arshad

pls find screens attached. from my perspective everything looks like it has to be, can u confirm?

Also, yes, we use extended ACLs (standard only works with SRC).

& yes we did RA-trace with TAC. WLC receives needed attributes:

,,,
2022/01/20 09:19:12.878948 {wncd_x_R0-0}{2}: [radius] [18316]: (info): RADIUS: Cisco AVpair [1] 34 "Method-List=DOT1x_author_ISE"
2022/01/20 09:19:12.878957 {wncd_x_R0-0}{2}: [radius] [18316]: (info): RADIUS: Cisco AVpair [1] 40 "AireSpace-ACL-Name=acl-No-Office-2-LAB"

...

But there is no ACL in Applied attributes.

Re: WLC C9800 AirSpace ACL does not get applied

Arshad Safrulla — Wed, 26 Jan 2022 23:08:34 GMT

Did you check on the AP whether the ACL is there? Login to the AP via CLI and "show ip access-list" verify the ACL you pushed is there in the AP?

Also make sure that you save the tags on the AP.

Re: WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Mon, 31 Jan 2022 18:04:14 GMT

yes, ACLs r on APs. how can i check tags on AP?

UPD. tags r also there (thanks to @Rich R hint)

br andy

Re: WLC C9800 AirSpace ACL does not get applied

Rich R — Sun, 30 Jan 2022 16:21:03 GMT

“ap name <APname> write tag-config” saves the tags.

From 17.6.1 tag persistency is introduced:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_ap_tag_persistency.html That also includes info about show ap tag summary.

Have you tried testing on a newer release like 17.6? There were a number of radius feature enhancements (to improve feature parity with AireOS) that went in between 17.3 and 17.6 which is why we're using 17.6 - our design simply didn't work on 17.3 as some commands appear in the config but are not implemented at all in the code.

Re: WLC C9800 AirSpace ACL does not get applied

Andrii Oliinyk — Tue, 01 Feb 2022 10:45:26 GMT

got resolved with switching to the Common Tasks / Airespace ACL Name check-box enablement instead of cisco-av-pair = AireSpace-ACL-Name=blah-blah.

Effectively, it gets treated on WLC as Filter-ID & shown under Monitoring / Wireless / Clients / <client> / General / Security Information / Server Policies|Resultant Policies

thanks to all

Re: WLC C9800 AirSpace ACL does not get applied

RAMKURAGAYALA — Wed, 01 Feb 2023 11:35:56 GMT

Actually I have successfully tested using "Airespace ACL" and "Filter-ID" separately, referencing ACL configured on WLC-9800. Despite Cisco 9800 is IOS-XE, "Airespace ACL" also worked in my use case.

Note : Cisco WLC-9800 doesn't support dACL.

Re: WLC C9800 AirSpace ACL does not get applied

hshimomu — Fri, 30 Jan 2026 11:47:35 GMT

Download ACL is supported from IOS XE 17.10.1.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/release-notes/rn-17-10-9800.html