topic Catalyst 9800/ISE - ACL in Wireless

Catalyst 9800/ISE - ACL

Luna99923 — Mon, 20 Jan 2025 03:07:06 GMT

Hello,

I have a Catalyst 9800-80 running version 17.9.6 and Cisco ISE 3.1. I want to configure wireless clients connected to an SSID using iPSK/MAB to dynamically change their VLAN and reference an ACL that resides on the 9800.

I understand that dACL support is only available starting with version 17.10, so I cannot use that feature at this time. While I have successfully configured the dynamic VLAN functionality using an authorization profile, I would like guidance on how to handle the ACL configuration under these constraints.

Thank you for your assistance!

Re: Catalyst 9800/ISE - ACL

Ambuj M — Mon, 20 Jan 2025 03:44:51 GMT

you can configure dACL, the aproach is different before and after 17.10

In Cisco IOS-XE 17.8 and earlier releases, you had to configure the name in Cisco ISE and define the ACL individually in each of the controllers, so when you configure ISE, just push ACL name and define your ACLs locally on controller.

In newer version you can push entire ACL on WLC instead of just name, no need to define ACL entries locally on controller

Re: Catalyst 9800/ISE - ACL

MHM Cisco World — Mon, 20 Jan 2025 04:58:26 GMT

It rare to push both dynamic vlan and dacl.

If you config ise to push dynamic vlan then use ACL in wlan to control traffic no need to push it from ISE.

The dacl is mainly used for redirect traffic of cwa.

MHM

Re: Catalyst 9800/ISE - ACL

srimal99 — Mon, 20 Jan 2025 10:38:31 GMT

@Luna99923 As mentioned above You can defined on the ISE and push to controllers.You can refer to following links
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

Re: Catalyst 9800/ISE - ACL

Luna99923 — Tue, 21 Jan 2025 14:57:50 GMT

Thank you.

Does anyone know if the following still applies to 9800 WLCs? I pulled the following from: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

Considerations When ACLs are Configured in WLCs

ALCs in WLCs work differently than in routers. These are a few things to remember when you configure ACLs in WLCs:

The most common mistake is to select IP when you intend to deny or allow IP packets. Because you select what is inside the IP packet, you deny or allow IP-in-IP packets.
Controller ACLs cannot block WLC virtual IP address, and hence DHCP packets for wireless clients.
Controller ACLs cannot block multicast traffic received from wired networks that is destined to wireless clients. Controller ACLs are processed for multicast traffic initiated from wireless clients, destined to wired networks or other wireless clients on the same controller.
Unlike a router, the ACL controls traffic in both directions when applied to an interface, but it does not perform stateful firewalling. If you forget to open a hole in the ACL for return traffic, this causes a problem.
Controller ACLs only block IP packets. You cannot block Layer 2 ACLs or Layer 3 packets that are not IP.
Controller ACLs do not use inverse masks like the routers. Here, 255 means match that octet of the IP address exactly.
ACLs on the controller are done in software and impact forwarding performance.

Re: Catalyst 9800/ISE - ACL

Rich R — Tue, 21 Jan 2025 15:55:41 GMT

That's a very old document for AireOS so I'd not assume any of it necessarily still applies to 9800.

See the config guide https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_conf_ipv4_acl_ewlc.html which discusses how they apply on 9800.

For dACLs also see https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221941-configure-troubleshoot-downloadable-ac.html

Re: Catalyst 9800/ISE - ACL

MHM Cisco World — Tue, 21 Jan 2025 16:23:10 GMT

Again why you looking for dACL and dynamic VLAN in same ssid? What is your requirements??

MHM

Re: Catalyst 9800/ISE - ACL

bakaholic39 — Wed, 23 Jul 2025 06:49:41 GMT

In order to use an ACL name, in the ISE authorization profile, should I select Airespace ACL Name or use a specific AV pair? Additionally, on the WLC, is there any mandatory configuration apart from creating an ACL with the same name as defined in ISE?

Re: Catalyst 9800/ISE - ACL

Ambuj M — Thu, 24 Jul 2025 04:44:14 GMT

use Airespace ACL Name under common tasks

on 9800 make sure ACL name is exactly same as defined on ISE (case sensitive) that's all.

Re: Catalyst 9800/ISE - ACL

bakaholic39 — Thu, 24 Jul 2025 05:13:14 GMT

Thanks for replying, do you have any insights on SD-Access wireless? Can this method be used to enforce ACLs for clients in an SD-Access Wireless environment?

Re: Catalyst 9800/ISE - ACL

Ambuj M — Fri, 25 Jul 2025 03:55:34 GMT

in SDA the access control is typically based on SGTs where you assign SGT values to source and destination based on IP, VLAN, ports etc and create matrix to allow or deny access between them. Are you using SDA or traditional wireless ?

Re: Catalyst 9800/ISE - ACL

bakaholic39 — Fri, 25 Jul 2025 04:57:12 GMT

I have both, and I’m wondering, rather than configuring complex SGTs or SGACLs, can traditional way like Airespace ACL Name still work with SDA wireless.

Re: Catalyst 9800/ISE - ACL

Ambuj M — Sun, 27 Jul 2025 03:26:03 GMT

it does not align with architectural principles and benefits of SDA's group-based policy and automation capabilities, but it will work.