topic WLC and dACLs in Wireless

WLC and dACLs

Jim Thomas — Sun, 04 Jul 2021 04:59:56 GMT

Does anyone know if dACLs on a WLC controller using the latest code require a pre-configuration of the ACLs on the controller? All documentation seems to indicate the ACLs must be created first on the controller and the policy engine (ISE or ACS) push down the name of the ACL to be used.

Re: WLC and dACLs

Scott Fella — Fri, 13 Apr 2012 19:28:18 GMT

The wlc doesn't support dACLs but you would use the wlc acl's. Q

Thanks,

Scott Fella

Sent from my iPhone

Re: WLC and dACLs

Stephen Rodriguez — Fri, 13 Apr 2012 19:28:19 GMT

Hey Jim, long time no see!

For the WLC, this is correct. You have to preconfigure the ACL on the WLC, and ISE will send the name.

Steve

Re: WLC and dACLs

George Stefanick — Fri, 13 Apr 2012 20:57:16 GMT

To piggy back in ...

ISE supports 2 ACLs (downloadable or named). The WLC supports NAMED ACLS. The name should be identical in the ISE policy manger and the WLC.

WLC and dACLs

Jim Thomas — Fri, 13 Apr 2012 20:58:40 GMT

Thanks guys, stephen that helps out, just needed the confirmation since I'm light on the wireless.

WLC and dACLs

George Stefanick — Fri, 13 Apr 2012 21:02:29 GMT

ISE ACLs are the better way to go versus VLAN change. Most clients will not support CoA and will sit and spin.

Re: WLC and dACLs

Scott Fella — Fri, 13 Apr 2012 21:41:48 GMT

Vlan changes on the wireless has not caused me any issues. I have used it on ACS and now on ISE. On the wired side it can be an issue as you know.

Thanks,

Scott Fella

Sent from my iPhone

Re: WLC and dACLs

George Stefanick — Fri, 13 Apr 2012 22:05:25 GMT

If the device is not 100% profiled and later becomes profiled as other probes determine what the device is and the device needs to move to another VLAN a Coa happens. it's then that the supplicant woll sit and spin. Anyconnect client for example will recognize that no traffic is passing after a certain period of time and will reip. Other supplicants for example window zero config don't do that.

Re: WLC and dACLs

Scott Fella — Fri, 13 Apr 2012 22:10:49 GMT

That's how I have mine setup though, but it's my lab that I do the testing. I have one SSID and then multiple profiles with vlan, session timer and QoS attributes depending on what AD group the user matches. I haven't tested other supplicants beside a windows 7 and XP client.

Thanks,

Scott Fella

Sent from my iPhone

Re: WLC and dACLs

Scott Fella — Fri, 13 Apr 2012 22:16:48 GMT

George,

I still prefer to match an SSID to an OU and either accept or deny. The named acl and dACL I think is a nice idea, but you have to account for all the users on that given subnet. I think after playing around with ISE an seeing what really works in real life and what is painful will help determine what is the best way I deploy in certain situations.

Thanks,

Scott Fella

Sent from my iPhone

Re: WLC and dACLs

George Stefanick — Fri, 13 Apr 2012 22:31:38 GMT

I'm curious, can you be more specific when you say you match a ssid to a ou.

I agree each deployment wil have a unique deployment requirements.

Sent from Cisco Technical Support iPhone App

Re: WLC and dACLs

Scott Fella — Fri, 13 Apr 2012 22:46:18 GMT

I create a policy that say is the user using "employee" SSID and is part of the "wireless employee" OU... And some others (device group, device location, EAP type, etc). So if a domain user tries to access the "employee" SSID using his or her domain credential and is not part of the "wireless employee" OU, ACS or ISE will send a reject to the WLC. That username is also accounted for in the failed attempts.

Thanks,

Scott Fella

Sent from my iPhone

Re: WLC and dACLs

snyggsomfan — Wed, 30 May 2012 10:57:04 GMT

Maybe not a totally relevant question to this post but does an autonomous ap (AP-1142N) support dACL from ACS? I'm not using any WLC.

/Putte

Re: WLC and dACLs

edondurguti — Fri, 24 Aug 2012 16:04:35 GMT

Hey Scott, did this ever happend to you or anyone

https://supportforums.cisco.com/message/3716531#3716531