cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
2
Replies

Flexconnect dACL applied but not being enforced

Daniel Lucas
Level 1
Level 1

Running into an issue that I can't seem to find a reason/solution for - I have a more/less basic guest portal - once the client successfully logs in as a guest ISE sends a CoA, the session is re-authenticated, and an authz profile is matched that pushes an Airespace ACL over to the WLC - however the client has full access to the network regardless of what I have in my ACL (even a deny any any).

On the WLC I have that ACL configured as a Flexconnect ACL, and have it pushed down to the AP. In the client details I see the ACL applied, although it is listed under 'IPv4 ACL Name' instead of the 'AAA Override ACL' section; which may be normal, but just something that looks off to me:

1.PNG

 

Flexconnect ACL is configured as below (any any was changed to Deny while troubleshooting):

1.PNG

'Allow AAA Override' is enabled on the WLAN as well as 'NAC State = Radius NAC'

ISE is version 2.1, and the controller is 8.0.152 vWLC

 

Any help would be appreciated.

-Thanks

2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee

Link is bad - based on your link though I searched and found this one which I suspect you were trying to link to:

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

 

However, that guide is for a centrally-switched AP; not Flexconnect

 

-Thanks