Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1755
Views
0
Helpful
3
Replies

ISE WLC DACL Flex

Ben Meagher
Level 1
Level 1

‎10-09-2013 11:41 AM - edited ‎03-10-2019 08:58 PM

ISE 1.2 Patch 2

VWLC 7.4.100.0

Specifically flex connect APs

We have successfully built the first self registration MAB'ed Z policy which authorizes all MACs to hit the CWA and a redirect. WIth Flex you must have an IPV4 and a Flex ACL on the controller that is referenced in the Z result policy. We have this in and it is working to here. Upon completion of the Guest Portal signup, we also reauth, which then combs the Zs for the Guest flow, which is being hit and resulting in a Guest Z Result. Our dilemma is that upon the successful secondary Z, the client will receive the successful completion and the logs also show the successful Z and Z result, but the client can not go anywhere and soon reauths. On the controller, the client has the Guest IPV4 acl. Our big question, is the client supposed to have a cloned flex connect acl also applied, and if so, how do I tweak the Z result to do so as all of the documentation that I could find references are for the redirect only, and that is for a bug workaround until we're on 7.5.

Again, specifically flex APs

Labels:
0 Helpful
3 Replies 3

Nicholas Copeland
Level 4
Level 4

‎10-09-2013 12:05 PM

Ben,

Look at this doc. It appears you need to be on 7.5 for per user radius acl's to work on Flexconnect.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

0 Helpful

Ben Meagher
Level 1
Level 1
In response to Nicholas Copeland

‎10-21-2013 03:44 PM

Still pretty buggy and my testing shows that you can only leverage one acl per mapped vlan too...someone please correct me.

0 Helpful

marioderosa2008
Level 1
Level 1
In response to Ben Meagher

‎08-06-2014 03:11 AM

apparently this bug was fixed in 7.5 but that image was removed from Cisco's site and they released 7.6 which fixes the issue. I am about to start implementing this so I can update with any results.

Out of interest, do you have this working in 7.6?

 

Thanks

Mario

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents