How to migrate away from converged wireless back to centralized wireless with ISE dACL's ?

willsmith1701 · ‎07-13-2016

We are in the process of migrating away from converged wireless back to the previous centralized structure. We currently have a 5760 Mobility Controller, and 3850 switch stacks campus wide configured as Mobility Agents. We also have an ISE server for Dot1x authorization, with differing policies and downloadable acl's dependent on the username and device (i.e. AD credentials and an AD joined device, AD credentials on a BYOD device, Guest user with no AD account and their own device). We have purchased a 5520, and plan to remove the MA role from the 3850 switch stacks, so they will function as wired switches only.

I don't think the 5520 is capable of accepting downloadable acl's. I think the downloadable acl's currently configured on the ISE server need to be duplicated on either the new 5520 wlc, or on the 3850 switches, but I'm not sure which. I am also not certain how the 5520 should be configured to apply the correct acl depending on the user name and device type. The ISE server was implemented at the same time the 5760 and 3850's were installed, so I have no experience with integrating ISE with the centralized model.

My questions are:

Do the downloadable ACL'S currently present on the ISE server need to be duplicated on the 5520 wlc, or on the 3850's?

How will the 5520 know which acl to apply when the client connects?

Where can I find specific information on how to do this?

nspasov · ‎07-13-2016

Hi there, my answers below:

Do the downloadable ACL'S currently present on the ISE server need to be duplicated on the 5520 wlc, or on the 3850's?

NS: dACLs for wireless are only supported on converged access. Thus, you will need to create Access Lists on each 5520 controller that you have. If you have Cisco Prime that can save you a lot of time! :)

How will the 5520 know which acl to apply when the client connects?

NS: Yes, after you define the ACLs on the WLC, you can then reference those ACLs in your Authorization Profiles in ISE. The RADIUS attribute that you would use is Airespace-ACL-Name

Where can I find specific information on how to do this?

NS: Take a look at the following:

1. A configuration doc from Cisco that shows you CWA (Central Web Auth) for guest access

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

2. I also really like the Lab Minutes videos:

http://www.labminutes.com/video/sec/ISE

I hope this helps!

Thank you for rating helpful posts!

willsmith1701 · ‎07-15-2016

Neno,

Regarding what you said about "after you define the ACLs on the WLC, you can then reference those ACLs in your Authorization Profiles in ISE" , does this mean that once the acl's that exist on the ISE server are exactly recreated on the 5520, then the existing authorization profiles on the ISE server that reference those acl's should continue to work as they do now? If so, then that is not what is happening.

We are using both machine authentication and user authentication. Different profiles and acl's are applied depending on if the connection is made by AD user on an AD joined device, or by an AD user on a personal BYOD device. They can both connect to the same dot1x configured ssid because of the existing profiles linked to the downloadable acl's on the ISE server. I replicated the exact same ACL's on the 5520 expecting the same functionality we have now, but it's not working. AD users on AD joined devices work, but AD users on personal devices are not redirected to the device registration portal. I'm not sure how to fix this. Do you, or anyone else in this forum know how to make this work?