cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

638
Views
0
Helpful
6
Replies
Highlighted
Beginner

ISE 1.4 - Hotspot ACL not working

I configured the Hotspot portal on ISE 1.4

The first process works fine, the redirect occurs and the device MAC Address join in the Endpoint group.When I connect again, ISE check if the MAC Address is in the Endpoint group and match the authorization profile, apply the Airspace ACL-INTERNET to the device.
I can see in the WLC the device connected with IPv4 ACL-INTERNET received from ISE, but I have no access to Internet.
I created the rule number one of ACL-INTERNET to permit ip any any in the WLC. I can resolve the sites name and ping my gateway, but cannot ping any external site address or telnet in any external ip address port

Anyone else seen this behavior?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

I should have been more clear - with all versions of WLC code since 7.5, radius-applied FlexConnect ACLs get applied to both the ingress and egress. 

For your acl-redirect ACL, the typical entries for Local mode would be:

Where .237 and .238 are the PSNs.

For your acl-internet, again for Local mode, the ACL would typically look something like this:

Notice the "Inbound" direction for the RFC1918 address space.

For FlexConnect, you do not have the concept of "Direction" that you can deal with when creating FlexConnect ACLs.

Tim

View solution in original post

6 REPLIES 6
Highlighted
Beginner

A couple of clarifying questions:

1) Are these APs in FlexConnect or Local mode?  What WLC version?

2) Does the Message Log in the WLC give any clues?  Management > Logs > Message logs

3) If you remove the ACL from the HOTSPOT-INTERNET authz profile, does it change the behavior?

Tim

Highlighted

1) Are these APs in FlexConnect or Local mode?  What WLC version?
AP in FlexConnect mode and WLC version 8.1.102.0

2) Does the Message Log in the WLC give any clues?  Management > Logs > Message logs

none

3) If you remove the ACL from the HOTSPOT-INTERNET authz profile, does it change the behavior?

If remove the ACL the access works fine

Now I am with a new lab and all is working fine with a few differences:
AP in Local mode, WLC version 8.0.120.0

Highlighted

Moises,

Can you post your ACL?  Remember, as of 7.5 WLC code, FlexConnect ACLs applied via Radius get applied to both ingress and egress.  Are you locally switching your guest traffic?  If so and you have deny statements for the RFC1918 address space to block all potential internal network access from the guest session, you may need to add a permit statement for your guest subnet above the RFC1918 denies.  It's not elegant and is definitely not scalable to a bunch of locations. 

I posted this issue recently here, along with the feature request I filed: 

https://supportforums.cisco.com/discussion/12593161/ise-guest-flexconnect-local-switching

Tim

Highlighted

7.5 code does not apply to my cenario, I am using 8.0.120.0

I am using Access Point as local mode and traffic to internet only worked after I added the rule number 5.

Another important point that I noted is that ACL-REDIRECT only need to allow traffic between the guest network and the ISE. All other traffic is automatically redirected to the ISE, however DNS and DHCP do not need to declare in the ACL, the ACL allows this traffic.

Third point, if I add a rule number 3 deny ip any any to ACL-REDIRECT, the redirect CWA process does not works

Highlighted

I should have been more clear - with all versions of WLC code since 7.5, radius-applied FlexConnect ACLs get applied to both the ingress and egress. 

For your acl-redirect ACL, the typical entries for Local mode would be:

Where .237 and .238 are the PSNs.

For your acl-internet, again for Local mode, the ACL would typically look something like this:

Notice the "Inbound" direction for the RFC1918 address space.

For FlexConnect, you do not have the concept of "Direction" that you can deal with when creating FlexConnect ACLs.

Tim

View solution in original post

Highlighted
Beginner

Usually, when I have a failure like this, it comes down to CAPITALIZATION or spelling on one of the devices...