cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

264
Views
5
Helpful
6
Replies
Highlighted
Beginner

DACL is not applied well in ISE.

ACL.pngProfile.pngPolicy_MAB.pngPolicy_1X.pngdACL_log.png

 

 

DACL is not applied well in ISE.

I configured dACL as above.

However, you can ping anywhere.

If you look at the log, it appears that dACL is applied.

What is the problem ??

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: DACL is not applied well in ISE.

Is this a Cat 9800 WLC? In that case I don’t know much about it because it’s IOS-XE based.

 

 But in the classic AireOS there is no dACL. The ACL lives on the WLC and RADIUS only sends the ACL name in the Access-Accept. 

View solution in original post

Highlighted
VIP Advisor

Re: DACL is not applied well in ISE.

Hi @Snika 

 

dACL is only used in Cisco LAN Switches - not Cisco WLAN Controller (at least, not on the "legacy" AireOS stuff like your 5520)

 

The principle here is that you must configure all the ACLs on the 5520 itself. e.g. if the WLAN is centrally switched, then it's under Security > ACLs (somethig like that) - beware that for FlexConnect you must choose the Flex ACL (because the ACLs then get applied on the APs themselves, and not on the Central Controller).

 

ISE's job is to send the ACL Name to the WLC during the Access-Accept. That applies the ACL for that Session. Make sure the name in the ISE Result is identical to that configured on the WLC

View solution in original post

6 REPLIES 6
Highlighted
VIP Advisor

Re: DACL is not applied well in ISE.

Have you checked the status of the session on the switch? Are you sure the dACL has been downloaded?

Highlighted
Beginner

Re: DACL is not applied well in ISE.

The switch is not registered with ISE.

WLC-ISE environment.

I want to control clients with ACLs in a wireless environment.

Highlighted
VIP Advisor

Re: DACL is not applied well in ISE.

Is this a Cat 9800 WLC? In that case I don’t know much about it because it’s IOS-XE based.

 

 But in the classic AireOS there is no dACL. The ACL lives on the WLC and RADIUS only sends the ACL name in the Access-Accept. 

View solution in original post

Highlighted
VIP Collaborator

Re: DACL is not applied well in ISE.

I agree with @Arne Bier .  In regard to AireOS you configure the ACLs on the controller.  I know on the 5520 WLC this can be found under security->access control lists.  Then reference which specific airespace acl in the respective authz profile.

Highlighted
Beginner

Re: DACL is not applied well in ISE.

Our controller is WLC5520.

Is it incorrect to use ISE dACL in ISE-WLC-AP configuration ??

I am currently importing WLC's ACL from ISE using the AirSpace_ACL function.

Highlighted
VIP Advisor

Re: DACL is not applied well in ISE.

Hi @Snika 

 

dACL is only used in Cisco LAN Switches - not Cisco WLAN Controller (at least, not on the "legacy" AireOS stuff like your 5520)

 

The principle here is that you must configure all the ACLs on the 5520 itself. e.g. if the WLAN is centrally switched, then it's under Security > ACLs (somethig like that) - beware that for FlexConnect you must choose the Flex ACL (because the ACLs then get applied on the APs themselves, and not on the Central Controller).

 

ISE's job is to send the ACL Name to the WLC during the Access-Accept. That applies the ACL for that Session. Make sure the name in the ISE Result is identical to that configured on the WLC

View solution in original post