Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3396
Views
15
Helpful
6
Replies

Airespace ACL - Flexconnect AP

Go to solution
victguti
Level 1
Level 1

‎10-23-2018 03:57 AM

Hello,

 

I have an ISE 2.2 patch 10 full distributed deployment in which I am using Airespace-ACLs for wireless clients. It is works successfully except when client connect to a Flexconnect AP.

Do you know if is there any limitation to use airspace-acls with Flexconnect AP?

 

 

Regards.

1 person had this problem
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
anthonylofreso
Level 4
Level 4

‎10-23-2018 04:30 AM

As long as that ACL exists under FlexConnect ACLs on the WLC, then airespace ACL should work.

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎10-23-2018 05:03 AM

For a long time I dealt only with regular ACL's and ISE was returning them via the Access-Accept.  And then I had to work with Flex ACL's.  Well for starters, they look different because there is no direction associated with them (inbound/outbound).  You have to create them under FlexACL and not regular ACL.  But in ISE you can refer to them by the regular means.  However, I have found that when I used them for Guest Portal URL redirection, that ISE didn't need to (or have to) return this named Flex ACL at all.  The ACL is hard-coded into the part of the WLC config that deals with Central Web Auth.  As soon as the session is in CWA then the WLC applies the ACL as configured in the WLC - it has nothing to do with Radius anymore (even though this is a MAB auth flow!).  And then the other oddity I found (and have yet to resolve) is how to send the Flex ACL to tell the WLC that it has to apply a different Flex ACL because the guest is now authenticated.  It just refuses to accept the named Flex ACL I send it.  I never got it to work (Cisco WLC 8.5.something)

View solution in original post

Go to solution
paul
Level 10
Level 10
In response to Arne Bier

‎10-23-2018 05:55 AM

I think you still need to apply the ACL from my experience, but the key with FlexConnect is you need to push out the ACLs to the APs using your FlexConnect groups.  You push them out as policy ACLs.  Also for ACLs that you want to apply to apply to restrict traffic you need to push them out as well before they can get applied.  Look at the ACL tab in the FlexConnect group and push them out, but don't apply them to any interface.

View solution in original post

Go to solution
rajcisco
Level 1
Level 1

‎10-23-2018 07:36 AM - edited ‎10-23-2018 09:09 AM

I face the same issue, FlexConnect ACL should push through FlexConnect groups, but the ACL send to AP which in turn applied to user is different from the original ACL created in Controller. Seems its related to a bug affecting flexconnect ACL (its not the case in central switch) and there is a hotfix OS code for the same. CISCO also planned to release stable version of OS including this fix in first week of Nov-2018

Kindly raise a TAC to get more information on the same

View solution in original post

0 Helpful
6 Replies 6

Go to solution
anthonylofreso
Level 4
Level 4

‎10-23-2018 04:30 AM

As long as that ACL exists under FlexConnect ACLs on the WLC, then airespace ACL should work.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎10-23-2018 05:03 AM

For a long time I dealt only with regular ACL's and ISE was returning them via the Access-Accept.  And then I had to work with Flex ACL's.  Well for starters, they look different because there is no direction associated with them (inbound/outbound).  You have to create them under FlexACL and not regular ACL.  But in ISE you can refer to them by the regular means.  However, I have found that when I used them for Guest Portal URL redirection, that ISE didn't need to (or have to) return this named Flex ACL at all.  The ACL is hard-coded into the part of the WLC config that deals with Central Web Auth.  As soon as the session is in CWA then the WLC applies the ACL as configured in the WLC - it has nothing to do with Radius anymore (even though this is a MAB auth flow!).  And then the other oddity I found (and have yet to resolve) is how to send the Flex ACL to tell the WLC that it has to apply a different Flex ACL because the guest is now authenticated.  It just refuses to accept the named Flex ACL I send it.  I never got it to work (Cisco WLC 8.5.something)

Go to solution
anthonylofreso
Level 4
Level 4
In response to Arne Bier

‎10-23-2018 05:12 AM

Nice. Learned something new today.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Arne Bier

‎10-23-2018 05:55 AM

I think you still need to apply the ACL from my experience, but the key with FlexConnect is you need to push out the ACLs to the APs using your FlexConnect groups.  You push them out as policy ACLs.  Also for ACLs that you want to apply to apply to restrict traffic you need to push them out as well before they can get applied.  Look at the ACL tab in the FlexConnect group and push them out, but don't apply them to any interface.

Go to solution
rajcisco
Level 1
Level 1

‎10-23-2018 07:36 AM - edited ‎10-23-2018 09:09 AM

I face the same issue, FlexConnect ACL should push through FlexConnect groups, but the ACL send to AP which in turn applied to user is different from the original ACL created in Controller. Seems its related to a bug affecting flexconnect ACL (its not the case in central switch) and there is a hotfix OS code for the same. CISCO also planned to release stable version of OS including this fix in first week of Nov-2018

Kindly raise a TAC to get more information on the same

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-25-2018 05:20 PM

Adding to the others, please also check out the Appendix B of How To: Universal Wireless Controller (WLC) Configuration for ISE

0 Helpful
Customers Also Viewed These Support Documents