Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
1
Replies

Flexconnect dACL with ISE v2.1

Vivek Ganapathi
Level 4
Level 4

‎12-13-2017 04:28 PM - edited ‎02-21-2020 10:41 AM

Hello All,

 

Need some assistance around the dACL for Flexconnect Access Points. We have configured all our FlexConnect AP switchports in Multi-Host authentication mode. But when we issue the restrictive dACL the underlying hosts is unable to connect to the SSID being broadcasted. As soon as we issue a full permit dACL, it works. So, I'm suspecting some missing ports in the dACL I have below or the only other issue I could think of is in Multi-Host mode the dACL is applied to the entire session instead of just the first MAC address being seen on the switchport. By the way the below dACL is common for LWAPP APs too and they work just fine. 

 

remark Allow Control and Provisioning of Wireless Access Points (CAPWAP) protocols.

permit udp any any range 5246 5248
permit udp any range 5246 5248 any
remark Allow Lightweight Access Point Protocol (LWAPP)
permit udp any any range 12222 12224
permit udp any range 12222 12224 any
remark Allow remote access (telnet and SSH)
permit tcp any range 22 23 any
remark Allow DHCP
permit udp any any eq 67
permit udp any any eq 68
remark Allow DNS
permit udp any any eq 53
remark Allow RDLP
permit udp any any eq 6352
remark Allow NSI Protocol
permit udp any any eq 37540
permit udp any any eq 37550
remark Allow TFTP
permit udp any any eq 69
remark Allow FTP
permit tcp any any eq 21
remark Allow Syslog
permit udp any any eq 514
permit icmp any any
deny ip any any

 

Please help.

 

Edit : IOS version on the switch is 15.0(2)SE7

 

Regards

Vivek

Labels:
0 Helpful
1 Reply 1

Vivek Ganapathi
Level 4
Level 4

‎03-27-2018 07:07 AM

All,

Just thought to update if someone is having a similar issue. A Cisco TAC case was raised for this to understand this issue. With Multi-Host mode, the controls applied to an endpoint seen first by the switch will have the same controls applied to all the underlying endpoints. In other words, the dACL is applied to the entire session. So in the above case, Flexconnect AP was the first MAC to be seen by the switch & hence was issued the AP dACL. Once the workstation connected to the AP, the same dACL was applied as well. This causes a problem. Solution is to allow all traffic on the dACL aka permit ip any any.

 

Regards

Vivek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents