cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13875
Views
0
Helpful
11
Replies

ISE Airespace ACL WLC problem

Alexander Murin
Beginner
Beginner

Hello,

i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.

1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.

2. At authZ page i've configured a WEBAUTH as a default rule with the following:

Access Type = ACCESS_ACCEPT

cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT

cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa

3. I've also configured this ACL at WLC to permit

permit dns and icmp any-any

permit any-to-ise-8443

permit ise-to-any

This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.

4. At authC page i've use a wireless dot1x to use Internal users

5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule

6. GUEST rule looks like the following:

Access Type = ACCESS_ACCEPT

Airespace-ACL-Name = GUEST_INTERNET_ONLY

7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)

After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!

I don't have a point what issue it could be...

Any ideas?

P.S. see attach for Live authentication log

1 Accepted Solution

Accepted Solutions

You could try 'debug client ' in the WLC CLI and try to connect with client. Her you see if the WLC applies your ACL.

Looks like this for my permit-all ACL

*apfReceiveTask: Oct 25 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1) --- (caller apf_policy.c:1762)

It should be close to the bottom. 

And then after debug disable-all.

An other question, you can ping internet but no web access, same as URL's?  Is DNS working after the last ACL is applied?

About this line in the log:

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

I get that with CWA working so I'm not sure that's related. (to my setup )


Regards
Mikael

Sent from Cisco Technical Support iPad App

Message was edited by: Mikael Gustafsson

View solution in original post

11 Replies 11

nspasov
Cisco Employee
Cisco Employee

Hell Alexander-

A few questions:

1. Is the WLAN H-REAP/FlexConnect?

2. Do you have "AAA override" checked under the advanced settings

3. Can you check the detail authentication in ISE for the entry right after you entered the guest username/password. In that window you should see the ACL that is being applied to that session/user

4. What version of code are you using for both ISE and your WLC?

5. Can you paste screen shots for each configuration tab for your WLAN

Hi Neno,

thank you for engaging into my problem!

About your questions:

1. The WLAN is not H-REAP or FlexConnect, it's MAC filtering without any L3 security.

2. The "AAA override" is checked and "Radius NAC" is used as "NAC State" option.

3. According to the authZ details (see screenshot) airespace acl is successfully applied.

4. WLC Software Version          7.2.110.0 and ISE Version: 1.1.1.268 with ADE-OS Version          2.0.4.018.