topic Re: Dacl / ACL enforcement from ISE to Wireless devices in Wireless

Dacl / ACL enforcement from ISE to Wireless devices

jeaju99 — Thu, 09 Feb 2023 08:36:09 GMT

I am trying to create a ACL to deny access for wired and wireless clients, I am using ISE 3.1 and have 3504 WLC on version 8.10.151.0 . I created a Dacl in ISE and applied it to an authorization profile and it is working as intended but after doing some research it sounds like Dacl only works for wired clients and to enforce it on wireless clients i would need to create an ACL on the WLC. I could not find any good documentation on how to integrate the two. Do I Create the ACL on the WLC under Security->ACL and then use the same ACL name in the "Airespace ACL Name" field in ISE under authorization policy? If not how do I go about doing this? Is it possible to push the Dacl to the WLC? Or is it possible to push a general ACL out to every WLC with a name ISE recognizes? When I created this student_test_acl on my WLC and then added it to the policy in ISE it seems like it was apply deny ip any any to my device, I'm assuming because it didnt recognize the ACL in ISE? Can anyone point me in the right direction or give me some type of way to leverage ISE's profiling to force an ACL down to wireless clients to prevent IP connectivity to certain addresses? SGT's/RBACL in DNA just seems to apply to port/protocols and not IP's.

Re: Dacl / ACL enforcement from ISE to Wireless devices

Arshad Safrulla — Thu, 09 Feb 2023 09:03:00 GMT

DACL is not supported by any WLC as of today.

You can refer the below link for how ACL works - https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html

Regarding ISE and WLC integration with ACL enforcements;

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

https://lihaifeng.net/?p=28

Re: Dacl / ACL enforcement from ISE to Wireless devices

Karsten Iwen — Thu, 09 Feb 2023 09:14:40 GMT

For the brave ones, it is already supported in on 9800 WLCs version 17.9 for centralised WLANs. But for the OP, the AireOS will never get this feature.

Re: Dacl / ACL enforcement from ISE to Wireless devices

Wes Schochet — Thu, 09 Feb 2023 21:38:50 GMT

Yes - you have the right idea. ACL on the controller and specify in the authorization result on ISE:

Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = Allow_only_good_ACL