topic Re: Sending ACL from ISE to 9800 WLC in Wireless

Sending ACL from ISE to 9800 WLC

Wes Schochet — Thu, 13 Jan 2022 15:54:25 GMT

Hi All-

Migrating from 5520 -> 9800. I have many use cases where ISE is sending the "Airespace-ACL-Name = xxx_ACL" message to enforce an ACL on the client. Looking to implement the same functionality on the 9800. Is this just a standard dACL now? I saw a lot of messages about bugs with dACLs? How do I best implement this functionality?

Thanks

Re: Sending ACL from ISE to 9800 WLC

Mark Elsen — Thu, 13 Jan 2022 16:59:19 GMT

- dACL is not yet supported on the 9800 :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw89561

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

Re: Sending ACL from ISE to 9800 WLC

Rich R — Sat, 15 Jan 2022 10:29:54 GMT

Yep even in the latest release 17.7.1 https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-7/config-guide/b_wl_17_7_cg/m_wlan_9800.html#reference_937F7E4B0BEE4CC79D01B90AF723E192

"Downloadable ACL (DACL) is not supported in the FlexConnect mode or the local mode."

You can configure the ACL on the WLC and get ISE to send the pre-configured ACL name in av-pair.

Re: Sending ACL from ISE to 9800 WLC

Arshad Safrulla — Mon, 17 Jan 2022 13:33:21 GMT

Hi Guys,

OP is not referring to Downloadable ACL's and it was not supported in 5520 or any AireOS WLC's. So I guess the problem here is that ACL name sent by ISE.

As @Rich R mentioned you need to make sure that the ACL Name sent by ISE is configured in the WLC, if AP's are in Flexconnect mode you have to make sure that the ACL is pushed to AP.

wireless profile flex FLEX-SITE-20
acl-policy POSTURE-REDIRECT
central-webauth

I would also suggest that if the issue persist, post a RA trace for a client who is facing the issue. Or you can analyze the log your self by Wireless debug analzyer.

Wireless Debug Analyzer (cisco.com)

Re: Sending ACL from ISE to 9800 WLC

Wes Schochet — Mon, 17 Jan 2022 19:26:59 GMT

Thanks - I am attempting to send the ACL name, I can't find any info on what the av-pair is supposed to look like for the Cat controllers, The old style AirOS av-pair does not seem to be working.

Re: Sending ACL from ISE to 9800 WLC

ABM Networking — Fri, 11 Aug 2023 12:19:00 GMT

did you come up with an answer for this by any chance? I am looking to implement the same thing, but not sure how the av pairs should be formatted etc.

Thanks

Steve

Re: Sending ACL from ISE to 9800 WLC

Rich R — Fri, 11 Aug 2023 13:19:31 GMT

1. The dACL feature is only supported from 17.10.1 onwards - so you'll have to use 17.12.1 if you want to use dACLs.
2. Check the documentation at https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_dACL.html That includes a link to the guide for configuring the ACLs on ISE. Have you reviewed that?