topic Re: Cisco WLC Flexconnect DACL with ISE not working in Wireless

Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Sun, 25 Sep 2022 18:29:05 GMT

I have an integration between Cisco ISE and WLC 9800. All AP with flexconnect mode, am trying to restrict access for some internal applications using ISE.

I created the ACL on WLC "extended ACL".

On ISE "profile authorization", i tried with the following:-

1- Airspace ACL "using created WLC ACL" not working.

2-ACL "filter In" not working.

Any solution to push the ACL from ISE to WIFI users who connect to WIFI using flexconnect APs, kindly share the solution.

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 06:50:35 GMT

Any advise,please.

Re: Cisco WLC Flexconnect DACL with ISE not working

Arshad Safrulla — Mon, 26 Sep 2022 07:53:41 GMT

9800 doesn't officially support support DACL's yet. Please refer the enhancement bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

You might be able to get it working since controller itself is running IOS-XE code, but however it is not officially supported and caused behavior which might impact other primary functions of WLC.

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 07:59:53 GMT

Yes, i know about the bug. Is there any solution to restrict or deny some IPs for WIFI users.

WLC controller IOS-XE C9800.

ISE 2.7

Re: Cisco WLC Flexconnect DACL with ISE not working

Arshad Safrulla — Mon, 26 Sep 2022 08:28:08 GMT

You must create the ACL in WLC, and then make sure that is pushed to AP's via making required configuration changes in Flex profiles.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#anc23:~:text=of%20the%20rules.-,Flexconnect%20Local%20Switching%20Access%20Points%20ONLY,-What%20if%20you

Flex Profile >> Policy ACL

Also Make sure that you are running Cisco recommended IOS-XE codes as some older and short-lived codes have limitations with regards to Radius implementation.

Refer the below post which is very helpful as well.

Solved: WLC C9800 AirSpace ACL does not get applied - Cisco Community

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 08:46:32 GMT

Yes, now the issue how can i call the ACLwhich created on WLC by ISE.

Also the ACL to deny some application, not for redirect "i have to do a check mark for central web"

Re: Cisco WLC Flexconnect DACL with ISE not working

Arshad Safrulla — Mon, 26 Sep 2022 09:56:50 GMT

Hi Kamal,

Below are radius attributes supported by 9800's. Configure them in you Cisco ISE Authorization profile.

Tunnel-Private-Group-ID = 1 <VLAN ID or name>
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
Airespace:Airespace-Interface-Name = <name of vlan or vlan goup on WLC)
Airespace-ACL-Name = <ACL name configured in the WLC)

Highlighted is the one you should be focusing on. As mentioned before please make sure that you push the ACL to AP by configuring the Flex profile.

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 10:25:30 GMT

Thanks Arshad, but still unable to apply the ACL and user has all permit access.I attached the configuration based on your recommendation.

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 10:33:48 GMT

Appreciate your support, the WLC ACL in place and ISE use the same ACL "airespace ACL name".

Re: Cisco WLC Flexconnect DACL with ISE not working

islam.kamal — Mon, 26 Sep 2022 13:21:32 GMT

any idea

Re: Cisco WLC Flexconnect DACL with ISE not working

Arshad Safrulla — Mon, 26 Sep 2022 13:41:35 GMT

Hi Islam,

Yes, ACL name and the Airspace ACL name must be same. You can do a radioactive trace from 9800 WLC to see what parameters ISE is sending and how the client is reacting to it. Alternatively, you can also do a PCAP to confirm radius messages are sent with the required parameters.