06-16-2020 09:29 AM
I have an ISE infrastructure connected to a C9800 WLC Cloud (VM). The APs are in Flex mode and the Guest configuration on ISE is working properly for other Groups (Employees and Contractors). As long as the Flex ACL contains permit ip any any, everything works.
I am trying to have an internet_only_acl that will block the entire private IP address space. Here is my ACL example.
ip access-list extended INTERNET_ONLY_ACL
10 permit udp any any eq domain log
20 permit udp any any eq bootps log
30 permit udp any any eq bootpc log
110 deny ip any 192.168.0.0 0.0.255.255 log
115 deny ip 192.168.0.0 0.0.255.255 any log
120 deny ip any 172.16.0.0 0.15.255.255 log
125 deny ip 172.16.0.0 0.15.255.255 any log
130 deny ip any 10.0.0.0 0.255.255.255 log
135 deny ip 10.0.0.0 0.255.255.255 any log
200 permit ip any any log
This access-list is applied on the Authorization profile as an Airspace ACL.
The problem is that the guest user/pc is unable to reach any resource including the internet when this ACL gets applied.
Anyone encountered this issue? or implemented an internet only ACL on 9800 in Flex mode? Your input is appreciated.
Thanks in Advance.
Elom
Solved! Go to Solution.
06-16-2020 03:25 PM
The Cat9800 runs IOS-XE rather than AireOS, so I suspect your Airespace ACL is not being applied to the session. Instead, similar to Catalyst switches, you would configure a local Redirect ACL on the WLC and use a DACL to apply restrictive access. If you prefer to configure a local ACL instead of using a DACL, you would use the Filter-ID option in the AuthZ Profile.
See the Central Web Authentication (CWA) on Catalyst 9800 Wireless Controllers and ISE Configuration Example for more info.
06-16-2020 03:25 PM
The Cat9800 runs IOS-XE rather than AireOS, so I suspect your Airespace ACL is not being applied to the session. Instead, similar to Catalyst switches, you would configure a local Redirect ACL on the WLC and use a DACL to apply restrictive access. If you prefer to configure a local ACL instead of using a DACL, you would use the Filter-ID option in the AuthZ Profile.
See the Central Web Authentication (CWA) on Catalyst 9800 Wireless Controllers and ISE Configuration Example for more info.
02-01-2023 03:18 AM
Actually I have successfully tested using "Airespace ACL" and "Filter-ID" separately referencing ACL configured on WLC-9800. Despite Cisco 9800 is IOS-XE, "Airespace ACL" also worked in my use case.
Note : Cisco WLC-9800 doesn't support dACL.
06-16-2020 08:16 PM
You need to create acl on wlc and call it using filter-id .Don't use airespace acl.
04-04-2022 12:50 PM
I wanted to update this thread with what I observed in my environment. I had ISE end the filter-id and the "Method-List" to a 9800-40 WLC running 17.3.4c code and noticed the WLC didn't apply the filter till I configured the command "radius-server attribute 11 default direction inbound". Hopefully, this helps someone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide