Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6201
Views
16
Helpful
4
Replies

INTERNET_ONLY ACL for C9800 Cloud using ISE

Go to solution
elom.kutsienyo
Level 1
Level 1

‎06-16-2020 09:29 AM

I have an ISE infrastructure connected to a C9800 WLC Cloud (VM). The APs are in Flex mode and the Guest configuration on ISE is working properly for other Groups (Employees and Contractors). As long as the Flex ACL contains permit ip any any, everything works. 

 

I am trying to have an internet_only_acl that will block the entire private IP address space. Here is my ACL example.

 

ip access-list extended INTERNET_ONLY_ACL
10 permit udp any any eq domain log
20 permit udp any any eq bootps log
30 permit udp any any eq bootpc log
110 deny ip any 192.168.0.0 0.0.255.255 log
115 deny ip 192.168.0.0 0.0.255.255 any log
120 deny ip any 172.16.0.0 0.15.255.255 log
125 deny ip 172.16.0.0 0.15.255.255 any log
130 deny ip any 10.0.0.0 0.255.255.255 log
135 deny ip 10.0.0.0 0.255.255.255 any log
200 permit ip any any log

 

This access-list is applied on the Authorization profile as an Airspace ACL. 

The problem is that the guest user/pc is unable to reach any resource including the internet when this ACL gets applied. 

 

Anyone encountered this issue? or implemented an internet only ACL on 9800 in Flex mode? Your input is appreciated.

 

Thanks in Advance.

Elom

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-16-2020 03:25 PM

The Cat9800 runs IOS-XE rather than AireOS, so I suspect your Airespace ACL is not being applied to the session. Instead, similar to Catalyst switches, you would configure a local Redirect ACL on the WLC and use a DACL to apply restrictive access. If you prefer to configure a local ACL instead of using a DACL, you would use the Filter-ID option in the AuthZ Profile.

See the Central Web Authentication (CWA) on Catalyst 9800 Wireless Controllers and ISE Configuration Example for more info.

View solution in original post

4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-16-2020 03:25 PM

The Cat9800 runs IOS-XE rather than AireOS, so I suspect your Airespace ACL is not being applied to the session. Instead, similar to Catalyst switches, you would configure a local Redirect ACL on the WLC and use a DACL to apply restrictive access. If you prefer to configure a local ACL instead of using a DACL, you would use the Filter-ID option in the AuthZ Profile.

See the Central Web Authentication (CWA) on Catalyst 9800 Wireless Controllers and ISE Configuration Example for more info.

Go to solution
aje-london-itsupport
Level 1
Level 1
In response to Greg Gibbs

‎02-01-2023 03:18 AM

Actually I have successfully tested using "Airespace ACL" and "Filter-ID" separately referencing ACL configured on WLC-9800. Despite Cisco 9800 is IOS-XE, "Airespace ACL" also worked in my use case.

Note : Cisco WLC-9800 doesn't support dACL. 

 

 

0 Helpful

Go to solution
yogesh2009
Level 1
Level 1

‎06-16-2020 08:16 PM

You need to create acl on wlc and call it using filter-id .Don't use airespace acl.

Go to solution
Olushile Akintade
Level 1
Level 1

‎04-04-2022 12:50 PM

I wanted to update this thread with what I observed in my environment. I had ISE end the filter-id and the "Method-List" to a 9800-40 WLC running 17.3.4c code and noticed the WLC didn't apply the filter till I configured the command "radius-server attribute 11 default direction inbound". Hopefully, this helps someone.

Customers Also Viewed These Support Documents