Solved: Re: Catalyst Center - Wireless Fabric Issue

Jkloz · ‎04-14-2025

Good Afternoon All,

We are in the process of building out a greenfield deployment of Catalyst Center, and Cisco ISE, and I've run into an issue that I haven't been able to find an answer on. In our legacy network deployment, we use OTT wireless and this go-around we're planning on integrating the WLC's into DNAC. In the legacy deployment we are able to posture assess endpoints on both wired, and wireless networks based on a few conditions IE:

Posture Unknown - Apply DACL or Airespace ACL that gets applied until the endpoint passes all posture checks.
Posture Compliant - Any DACL / Airespace ACL gets removed once system is in a compliant state.
Posture Non-Compliant - System authenticates into a remediation fabric network that the host has access to remediation services (MECM/SCCM/ETC).

We are trying to accomplish the same configuration / setup on our greenfield / new deployment. The issue we're running into is on our 9800 WLC's, if I don't have an Airespace ACL tied to the authorization profile in ISE, authentication/authorization work flawlessly. Once I tie an Airespace ACL to the authorization profile, when the client associates to the AP, on the WLC we see them initially connect, then it flips to "excluded clients" with a result of ACL_Failure. I've tried getting some PCAP's of the traffic, and nothing is jumping out at me as being misconfigured. I see the Airespace ACL name in the frames of the capture.

I'm wondering if what i'm trying to do needs to be configured a different way, or if i'm trying to do something that isn't supported from a Cisco/fabric enabled wireless perspective. Fabric enabled wireless network documentation is pretty sparse on Cisco's site, I've read the DNAC/Catalyst Center deployment guides, ISE Posture guides, and am stumped.

ISE Version - 3.3.0
DNAC - 2.3.7.7

Any help/experience with an issue like this is always appreciated!

Thanks!

Jon

jedolphi · ‎04-18-2025

Hi @Jkloz , search CSCwh22547 from cisco.com. Not aware of other documentation. Here is the C9800 config that works in my SDA lab, as a test I allow fabric wireless client to ping to 8.8.8.8 but nothing else, adjust as you see fit. After posture completion you could assign the permit_all_acl.

ip access-list extended test_acl
permit icmp any host 8.8.8.8
permit icmp host 8.8.8.8 any
deny icmp any any
permit ip any any
!
ip access-list extended permit_all_acl
permit ip any any
!
wireless profile flex default-flex-profile
acl-policy test_acl
acl-policy permit_all_acl

View solution in original post

Dan Rowe · ‎04-15-2025

9800s did not support dACLs until 17.10+. What version of code are you running on the 9800?

Jkloz · ‎04-16-2025

Our 9800's are running 17.15.02.

When you say DACL's, you mean a Downloadable ACL that I would configure in ISE and tie to an Authz profile, or an Airespace ACL, that I'd configure on the WLC? I've tested both, and it's the same scenario when my test users authenticate to the WLC, they get pushed to "excluded clients", and timeout.

Also, reading through (https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m_dACL.html?bookSearch=true), "The dACL feature is supported only in a centralized controller with Local mode Access Points.", I'm not sure what the definition of a local mode AP is. We're not running flexconnect, so i'd assume they are local mode AP's, but more specifically they are fabric enabled WLC's, fabric enabled wired/wireless networks, so I'm not sure what the AP's would be considered.

jedolphi · ‎04-17-2025

For fabric enabled wireless and flex wireless DACLs are not supported, you must use post-auth ACLs, Cisco AV pair name "bsn-acl-name"

Jkloz · ‎04-17-2025

@jedolphi - Thanks for the input, I'll give this a shot. The post-auth ACL needs to be configured where? Somewhere in Catalyst Center, or on the WLC's under the local ACL's? I'd assume the WLC's. Also, keep in mind that what i'm trying to accomplish is in a posture unknown state, to have the post-auth ACL applied, until posture assessment. Then, once postured compliant, the ACL would be removed.

Do you have a link to any Cisco documentation that provides this information?

Thanks!

jedolphi · ‎04-18-2025

Hi @Jkloz , search CSCwh22547 from cisco.com. Not aware of other documentation. Here is the C9800 config that works in my SDA lab, as a test I allow fabric wireless client to ping to 8.8.8.8 but nothing else, adjust as you see fit. After posture completion you could assign the permit_all_acl.

ip access-list extended test_acl
permit icmp any host 8.8.8.8
permit icmp host 8.8.8.8 any
deny icmp any any
permit ip any any
!
ip access-list extended permit_all_acl
permit ip any any
!
wireless profile flex default-flex-profile
acl-policy test_acl
acl-policy permit_all_acl

Jkloz · ‎04-18-2025

Thank you very much, i'll be testing this on our greenfield deployment today & will get back to you ASAP. I tried looking at that bug ID, I don't have access to it, as it's not public.

Again, much appreciated!

Jkloz · ‎04-22-2025

@jedolphi - Thanks for the assist! I was able to make the above work in our environment. It's a bit wonky, but did the trick. We're also testing authenticating all fabric endpoints (wired & wireless) into a remediation network that only has access to critical resources they would need to access, until posture assessment. We're running NAM / ISE Posture Modules so we should be able to auth systems into a isolation VN, then dynamically move them based on posture to our production VN.

Again, thank you very much for your time!