cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1968
Views
5
Helpful
6
Replies

DACL is not applied well in ISE.

ACL.pngProfile.pngPolicy_MAB.pngPolicy_1X.pngdACL_log.png

 

 

DACL is not applied well in ISE.

I configured dACL as above.

However, you can ping anywhere.

If you look at the log, it appears that dACL is applied.

What is the problem ??

2 Accepted Solutions

Accepted Solutions

Is this a Cat 9800 WLC? In that case I don’t know much about it because it’s IOS-XE based.

 

 But in the classic AireOS there is no dACL. The ACL lives on the WLC and RADIUS only sends the ACL name in the Access-Accept. 

View solution in original post

Hi @JustTakeTheFirstStep 

 

dACL is only used in Cisco LAN Switches - not Cisco WLAN Controller (at least, not on the "legacy" AireOS stuff like your 5520)

 

The principle here is that you must configure all the ACLs on the 5520 itself. e.g. if the WLAN is centrally switched, then it's under Security > ACLs (somethig like that) - beware that for FlexConnect you must choose the Flex ACL (because the ACLs then get applied on the APs themselves, and not on the Central Controller).

 

ISE's job is to send the ACL Name to the WLC during the Access-Accept. That applies the ACL for that Session. Make sure the name in the ISE Result is identical to that configured on the WLC

View solution in original post

6 Replies 6

Arne Bier
VIP
VIP

Have you checked the status of the session on the switch? Are you sure the dACL has been downloaded?

The switch is not registered with ISE.

WLC-ISE environment.

I want to control clients with ACLs in a wireless environment.

Is this a Cat 9800 WLC? In that case I don’t know much about it because it’s IOS-XE based.

 

 But in the classic AireOS there is no dACL. The ACL lives on the WLC and RADIUS only sends the ACL name in the Access-Accept. 

I agree with @Arne Bier .  In regard to AireOS you configure the ACLs on the controller.  I know on the 5520 WLC this can be found under security->access control lists.  Then reference which specific airespace acl in the respective authz profile.

Our controller is WLC5520.

Is it incorrect to use ISE dACL in ISE-WLC-AP configuration ??

I am currently importing WLC's ACL from ISE using the AirSpace_ACL function.

Hi @JustTakeTheFirstStep 

 

dACL is only used in Cisco LAN Switches - not Cisco WLAN Controller (at least, not on the "legacy" AireOS stuff like your 5520)

 

The principle here is that you must configure all the ACLs on the 5520 itself. e.g. if the WLAN is centrally switched, then it's under Security > ACLs (somethig like that) - beware that for FlexConnect you must choose the Flex ACL (because the ACLs then get applied on the APs themselves, and not on the Central Controller).

 

ISE's job is to send the ACL Name to the WLC during the Access-Accept. That applies the ACL for that Session. Make sure the name in the ISE Result is identical to that configured on the WLC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: