Hi Matthew Martin
I think it may sound stupid for me to say this but all of us make mistakes.
Are you sure you are specifying an Airespace ACL and not just DACL under authorization results like below
the same ACL name has to be defined exactly in the WLC with the same name (case-sensitive) under Security tab and if you are using flexconnect Wireless Design you need to also Flexconnect ACL with the same name to work perfectly fine.
Hey Mohamed, thanks for the reply.
We have another Authorization Profile called "Wireless_ISE_Redirect". In that profile I've selected the following:
*I don't remember why we selected the Display Cert Renewal Message option... Is this something you think is needed??
On the Wireless Controller > Wireless > FlexConnect Groups > Group-Name > ACL Mapping > Policies: I have a FlexConnect ACL under Policy Access Control Lists called "ISE_ONLY".
So after the client connects to Guest Wi-Fi, they get the Wireless_ISE_Redirect profile shown above. Then, after they authenticate successfully through the login page, they get the 2nd Auth Profile (*Wireless_Guest_Internet) which has the dACL checked as well as the Vlan assignment. See below:
So are you saying the dACLs are for Wired connections only, and what I would need to do is create the same ACL on the WLC and add a 2nd Policy Access Control List in the FlexConnect Group and give it whatever name I use under the Airespace ACL Name..?
*FYI, our original configuration was to just assign the Vlan for the Guest (*no dACL assignment) and then just allow the NAD (*Switches) to decide what Vlan7 can access. The NADs have a Zone-Based Firewall which sets access. I had another forum post for assistance on how to get Vlan7 the correct access. But, I never got ANY replies, so I thought to try this method above with the dACL...
Thanks Again,
Matt
Hi Matthew Martin
Sorry for late reply I had long nights at Data Centers :)
So are you saying the dACLs are for Wired connections only, and what I would need to do is create the same ACL on the WLC and add a 2nd Policy Access Control List in the FlexConnect Group and give it whatever name I use under the Airespace ACL Name..?
Yes, dACLs would be ignored by WLC and only Airespace ACL would be processed, you can configure both dACL and Airespace ACL and use the same Authorization profile for both wired and wireless and the NAD will accept the corresponding ACL and ignore the other (Switch will download dACL, WLC will process Airespace ACL (wACL)).
Difference here is that Switch download the dACL from the Authentication server (ISE) where in WLC you need to define the Airespace ACL locally inside the WLC.
Now where to configure this Airespace ACL depends on your Wireless design architecture (Local vs Flexconnect)
In Locally Switched WLAN, You need to define the Airespace ACL under Security --> Access Control Lists --> Access Control Lists (This is for AireOS WLCs).
There should be Two ACLs: Redirect ACL (for Redirection) and Airespace ACL (for final Access).
In Flexonnect WLAN, You need to define the Airespace ACL under Security --> Access Control Lists --> Flexconnect Lists (This is for AireOS WLCs)
There should be Two ACLs: Redirect ACL (for Redirection) and Airespace ACL (for final Access).
The Same ACLs in Flexconnect design should be mapped under the FlexConnect Groups or under manually under the AP itself depending on your environment. for one customer i have have to manually assign these ACL manually under each Flexconnect AP as shown below.
Now modify your ISE authorization profile to include Airespace ACL under common task and put the same name you defined in WLC. (You can keep the dACL if you are going to use this profile for wired connection also but if not you can safely remove it ).
I hope this helps
