cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
0
Helpful
4
Replies

Options for wireless access lists

chad.drier
Level 1
Level 1

Hello Community,  Currently we are using Airespace access lists in ISE and using local mode instead of centrally switched.   Our cisco rep told us that we shouldn't use airespace access lists and these should be using dacls instead.  Everything I have read for wireless, you should use airespace and dacls are for wired. 

 

Is this not true?  Are there other ways to deploy access lists when using wireless locally switched?

 

Thank you! 

2 Accepted Solutions

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

That is correct.  AFAIK, dACL's are not supported on the wireless side yet.  You have to create the named ACL's on the controller and then you can reference them by name in your ISE policies.

View solution in original post

While this is true for the 5500 series, it is entirely dependent on the WLC OS.

The most widely deployed WLC models (5500, 2500, 3500) are built on the AireOS and would require Airespace ACLs, but some models are build on IOS-XE. The IOS-XE models like the 5700 series do support downloadable ACLs.

The new Catalyst 9800 series WLCs are also built on IOS-XE and support the use of dACLs as shown in this ISE and Catalyst 9800 Series Integration Guide 

 

Cheers,

Greg

View solution in original post

4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

That is correct.  AFAIK, dACL's are not supported on the wireless side yet.  You have to create the named ACL's on the controller and then you can reference them by name in your ISE policies.

@Colby LeMaire is right.  I have been going through deploying wireless in our enterprise over the last few weeks.  We have 5520 WLCs with ~45 APs.  On the WLC setup your ACLs under:Security->Access Control Lists.  Then in the authz profile you intend to use reference them via airespace acl name.  Make sure on WLC side your AAA servers, override etc. are configured properly.

While this is true for the 5500 series, it is entirely dependent on the WLC OS.

The most widely deployed WLC models (5500, 2500, 3500) are built on the AireOS and would require Airespace ACLs, but some models are build on IOS-XE. The IOS-XE models like the 5700 series do support downloadable ACLs.

The new Catalyst 9800 series WLCs are also built on IOS-XE and support the use of dACLs as shown in this ISE and Catalyst 9800 Series Integration Guide 

 

Cheers,

Greg

Thanks @Greg Gibbs  for the great information.   This makes a lot of sense because we are currently on the 2504/5508 but we will be migrating to the Catalyst 9800 series WLCs.  Thank you!