Solved: DACL, WLC, and ISE: Unsupported?

timothybwork · ‎08-07-2017

Hi,

I've seen a lot of conflicting information on this topic and am looking for a firm answer.

It appears that Airespace-ACL can be used to point to an existing ACL on a WLC. So if I have a user authenticated via Wireless (802.1x), Airespace-ACL can be used to point to an existing ACL (statically defined on the WLC) which can control that user's traffic. But DACL is not supported, so I can't use ISE as the single point of control to feed the ACL back to the users. Is that correct? I know I can use SGT, but Trustsec can't be deployed in my environment.

Francesco Molino · ‎08-07-2017

Hi

Yes you're right. DACL isn't supported on AireOS. However there are supported on IOS running wlc.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-07-2017

Hi

Yes you're right. DACL isn't supported on AireOS. However there are supported on IOS running wlc.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎08-07-2017

As Francesco noted - a Cisco WLC most definitely does not support DACLs.

We need to define them locally on the WLC and then ISE can apply them out dynamically as part of an authorization result.

Amr2 · ‎07-25-2022

is this limitation still in the WLC ???

ahollifield · ‎07-25-2022

AireOS or IOS-XE 9800?