cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
0
Helpful
4
Replies

9800L Airespace ACL + Flexconnect Local Switching + CWA

sys_gorski_1983
Level 1
Level 1

Hi All,

 

migrating from 5508 to 9800. Guest network is based on AUP page from ISE servers - i was able to create ACL for FlexConnect redirect. When accepting AUP page i should be redirected to the internet. 

In ISE logs i see user is authenticated (before authentication i see message -  5417 Dynamic Authorization failed ) but after that message all logs show user is authenticated and Airespace ACL has been applied. 

 

ACL has been also created on controller and applied to the Flex policy. In addition on the controller I see logs for hitting rule on the ACL (traffic seems to be permitted - there is only on user on the controller at the moment)

 

Looking also into controller dashboard i see one client where Policy Manage = RUN and following info at Security:

Screenshot 2020-01-20 at 23.21.15.png

 

Any ideas what can be still wrong? 

 

 

 

 

4 Replies 4

JPavonM
VIP
VIP

You may be missing the Authorization rule in ISE.

Take into consideration that after been Authenticated in L2 with MAB, and redirected to the splash page in ISE, you need to check the AUP to be Authenticated in L3. That triggers ISE to send a Change of Authorization packet (CoA) to release the device and allow access to the Internet. For that to happen, you need to create an authorization rule in ISE.

Authorization rules are present on ISE - i'm just migrating from 5508 to 9800. Policies are already there and seems to be working fine. Today i tried to do antoher test - i've configured CWA on FlexConnect with Central switching -> this is working fine and as desired. 

Client is able to connect to SSID, trying to access any web page and is immediately redirected to AUP. After accept of AUP i have access to internet. 

 

With FlexConnect it is a little bit more complex - when accessing web page i'm able to get content of the main page but whenever trying to go somewhere further i'm redirected to AUP. after accept of AUP i should be able to access internet using the same authorization profile. Looks like it is done properly but somehow airespace-acl is not attached to the client. 

I have been facing similar issues because having two L3 separate DC's, with controllers in HA (no SSO) and AAA servers for guests located in the DMZ and not sharing information between them internally.

 

In the standard way of working, the device register in one of the WLC's, and this WLC send the Radius-Request packet to the AAA server instance (let's call it AAA#1) configured in the WLC (normally the one in the DMZ from the same DC). Then, AAA#1 sends the Radius-Accept packet with URL redirect and pre-Auth-ACL.

 

In my topology, there are different DNS resolutions per DC based on where the user is been allocated (in the central switching model) and supported by F5 GTM. But, when the client connect remotely (Flexconnect) that IP address is not located in any of the DC's, hence sending default DNS resolution that maybe in the other DC.

 

Now, in this scenario, as the AAA servers do not share information of the previous Radius packet, you open the UAP page hosted in AAA#2 in the other DC, you accept that. At this time AAA#2 do not have any information regarding that session that has been accepted in AAA#1, so it is not released (CoA packet not sent).

 

The only solution I've managed to try to solve it is to configure different VLANs in the Flex AP depending on the controller it is registered. As every VLAN has different DNS resolution for the CWA portal, every AAA server has all the information that they need to authorize the connection.

 

HTH

Jesus

*** Rate All Helpful Responses ***

 

in my case issue was with code 16.12.1 - when i updated controller to 16.12.02s issue disappeared. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: