cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

871
Views
0
Helpful
3
Replies
Highlighted
Beginner

ACS 5.4 with DACL over wireless and wired network

Hi my name is Ivan, I have a question

I have a deployment in my network wired at this way:

  • Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
  • Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
  • Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador

A my deployment in the wireless network is in this way:

  • Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
  • SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.

  • SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.

I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.

How can I do it to my scenary?

Please could you help me?

Regards

Ivan.

3 REPLIES 3
Highlighted
Enthusiast

Hello Ivan

Traditional WLC doesn't support downloadable access list  (the new families 3850 and 5700 do support ).

I guess you're using traditional WLC because you mentioned flexconnect. What you can do is configure ACS to tell WLC :  "hey WLC, I want you to use BLOCK-ACL with these users" but the WLC needs to have the ACL already configured, ACS will only tell WLC the name of the access-list to use.

Also, I recommend to use ISE instead of ACS. With ISE you have advanced guest features (instead of the WLC lobby ambassador). You could download a virtual machine with ISE 1.2 and try it. It comes with a 90 days trial license.

PLease rate if this helps.

Highlighted

Hi Eduardo

I believe that the new family of WLC to which you refer is 2500, 5500, 5700.8500. The traditional WLC (Family 4400) to which you refer formerly support something called HREAP and  not  Flex Connect, and that's because the new version of IOS which adds new features to the Cisco WLC.

You must remember who delivers the DACL is the Security Server to the NAS in the network is therefore ACS who must be able to deliver DACL, and that in ACS 4.X and 5.X is supported

Now, I have seen deployments with WLC Wireless Networks using Cisco ACS 5.4 DACL. My question is how do you run the DACL properly, if you have to add an attribute in the Access Policy a Station Filter?

We do not need to ISE, even knowing that may include topics ISE Profiling, SGA's, postures and all the AAA architecture.

Thanks for your answer

Greetings.


Ivan

Highlighted

Hello. To avoid confusion, let's divide the WLC based upon the operating system.

There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.

There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).

IOS-XE fully support DACL. On the other hand AirOS support DACL partially.

From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.

On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.

It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.

Best regards