cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
0
Helpful
5
Replies

Wired NAC / FlexConnect AP / pre-auth default ACL / dACL permit ip any any

Jozef Cmorej
Level 1
Level 1

Hi all,

An FlexConnect AP is authenticated via 3650/3850 SW 16.x against ISE 2.3 with multi-host mode and there is the default ACL on the interface allowing only DHCP/DNS traffic before succesfull AuthC/AuhtZ. Is it possible to allow any communication on the interface coming from the wireless client by the dACL permit ip any any once the FlexAP is authorized? Is the dACL applied to the entire session for all MAC addresses or just for the MAC of the FlexConnect AP and the rest traffic is still blocked by the default ACL?

If the dACL does not work in this scenario, how can I permit any traffic from the connected wireless Client if the FlexAP is used in low impact mode and the interface is configured in multi-host mode?

Thank you.

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

You are confusing the AP authentication and authorization with the wireless endpoints authentication and authorization through the AP.

 

The switchport configuration will apply for the AP. After you authorize the AP, you should change it's switchport dACL to 'permit ip any any'. The AP will then connect to the WLC and download its configuration. This will determine how the endpoints are handled with 802.1X.

 

When an endpoint associates to the AP, it will initiate 802.1X and the RADIUS authentication and authorization   will be done by the WLC to ISE and enforced by the AP per endpoint session (VLAN, dACL, etc.). If you did not allow 'permit ip any any' for the AP on the switchport, then it is entirely possible that all endpoints connecting through the AP a will be subjected to the AP's dACL on the switchport.

 

 

View solution in original post

5 Replies 5

An FlexConnect AP is authenticated via 3650/3850 SW 16.x against ISE 2.3 with multi-host mode and there is the default ACL on the interface allowing only DHCP/DNS traffic before succesfull AuthC/AuhtZ. Is it possible to allow any communication on the interface coming from the wireless client by the dACL permit ip any any once the FlexAP is authorized?

 

I never work on Flexpconnect AP but did work on LOCAL MODE AP. so here is my input. No. I think you cant do this. let understand the logic the AP and the Wireless controller create CAPWAP tunnel. which is secure communication. so you can not apply Dacl on this for client wireless users. unless you create the acl on wireless controller and Dacl on ISE to push the COA.

 

 

Is the dACL applied to the entire session for all MAC addresses or just for the MAC of the FlexConnect AP and the rest traffic is still blocked by the default ACL?

 

this would be apply on to Flexconnect AP only. even though you have authentication mode host-mode mult-auth enable.

 

 

If the dACL does not work in this scenario, how can I permit any traffic from the connected wireless Client if the FlexAP is used in low impact mode and the interface is configured in multi-host mode?

 

create a acl on wireless controller and so the DACL on ISE than married these two. you can achieve what you asking for.

please do not forget to rate.

Hi,

thank you for the response.

In my case the AP works in the FlexConnect mode, so user traffic is switched locally therefore there is a trunk configuration and host-mode multi-host on the interface. All wireless users are terminated locally, thus their MAC addresses are visible beside the interface. As there is the default ACL configured on this interface which allows only DHCP/DNS, it is necessary to permit all traffic after successful authC/authZ of the AP. I have tested applying dACL from the ISE on c3850 / SW 16.9 in my lab and it seemed to work properly, but on the switch in the productive network does not.

I would like to avoid using interface macros to erase the default ACL once the port goes up/down.

 

The DACL should typically supercede the interface ACL. Are you saying it is not happening? Please make sure the switch has the same configuration, AP mode/settings/configuration and software as the lab setup.

 

-Krishnan

 

thomas
Cisco Employee
Cisco Employee

You are confusing the AP authentication and authorization with the wireless endpoints authentication and authorization through the AP.

 

The switchport configuration will apply for the AP. After you authorize the AP, you should change it's switchport dACL to 'permit ip any any'. The AP will then connect to the WLC and download its configuration. This will determine how the endpoints are handled with 802.1X.

 

When an endpoint associates to the AP, it will initiate 802.1X and the RADIUS authentication and authorization   will be done by the WLC to ISE and enforced by the AP per endpoint session (VLAN, dACL, etc.). If you did not allow 'permit ip any any' for the AP on the switchport, then it is entirely possible that all endpoints connecting through the AP a will be subjected to the AP's dACL on the switchport.

 

 

Hi,

thank you for the reply.

I am not confusing the AP AuthC/AuthZ with the wireless endpoints AuthC/AuthZ.  We can assume that the connected clients are authenticated successfully. My question was whether the dACL is applied to the entire session to all connected MAC addresses (AP + wifi clients) in case of the multi-host mode and the FlexAP.

When I run the command "show platform software fed switch 1 acl interface | begin 1/0/2" on the c3850 with the software version 16.9 once the FlexAP is authorized, I can see that on GigabitEthernet 1/0/2 interface, any MAC address (0000.0000.0000) is subject to PREAUTH_DEFAULT_ACL, the FlexAP MAC address 00c0.eeb0.0249 is subject to PERMIT_ALL_TRAFFIC + PREAUTH_DEFAULT_ACL.

 

show platform software fed switch 1 acl interface | begin 1/0/2
MAC 0000.0000.0000
########################################################
    intfinfo: 0xffdc01ea28
    Interface handle: 0xab00003c
    Interface Type: Port
    if-id: 0x0000000000000008
    Input IPv6: Policy Handle: 0x900007f
        Policy Name: sisf v6acl 0001DF80
             CG ID: 1
       CGM Feature: [0] acl
        Bind Order: 0

    Input IPv4: Policy Handle: 0xfc00007d
        Policy Name: PREAUTH_DEFAULT_ACL
             CG ID: 5
       CGM Feature: [0] acl
        Bind Order: 0

INTERFACE: Client MAC 00c0.eeb0.0249
MAC 00c0.eeb0.0249
########################################################
    intfinfo: 0xffdc043618
    Interface handle: 0x31000090
    Interface Type: Group
    if-id: 0x0000000012c5e550
    Input IPv4: Policy Handle: 0xe6000088
        Policy Name: PREAUTH_DEFAULT_ACL:xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3:
             CG ID: 272
       CGM Feature: [35] acl-grp
        Bind Order: 0

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: