07-24-2013 01:20 PM - edited 03-10-2019 08:41 PM
Hi my name is Ivan, I have a question
I have a deployment in my network wired at this way:
A my deployment in the wireless network is in this way:
I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
How can I do it to my scenary?
Please could you help me?
Regards
Ivan.
07-28-2013 05:27 PM
Hello Ivan
Traditional WLC doesn't support downloadable access list (the new families 3850 and 5700 do support ).
I guess you're using traditional WLC because you mentioned flexconnect. What you can do is configure ACS to tell WLC : "hey WLC, I want you to use BLOCK-ACL with these users" but the WLC needs to have the ACL already configured, ACS will only tell WLC the name of the access-list to use.
Also, I recommend to use ISE instead of ACS. With ISE you have advanced guest features (instead of the WLC lobby ambassador). You could download a virtual machine with ISE 1.2 and try it. It comes with a 90 days trial license.
PLease rate if this helps.
07-29-2013 09:45 AM
Hi Eduardo
I believe that the new family of WLC to which you refer is 2500, 5500, 5700.8500. The traditional WLC (Family 4400) to which you refer formerly support something called HREAP and not Flex Connect, and that's because the new version of IOS which adds new features to the Cisco WLC.
You must remember who delivers the DACL is the Security Server to the NAS in the network is therefore ACS who must be able to deliver DACL, and that in ACS 4.X and 5.X is supported
Now, I have seen deployments with WLC Wireless Networks using Cisco ACS 5.4 DACL. My question is how do you run the DACL properly, if you have to add an attribute in the Access Policy a Station Filter?
We do not need to ISE, even knowing that may include topics ISE Profiling, SGA's, postures and all the AAA architecture.
Thanks for your answer
Greetings.
Ivan
07-30-2013 12:49 AM
Hello. To avoid confusion, let's divide the WLC based upon the operating system.
There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide