Solved: Re: 9800WLC/CatC/ISE - dACL not working

m-avramidis · ‎12-12-2024

Have run into a very strange problem.

Background; customer wants to go from 8540/Prime to 9800/CatC. CatC will manage all of the SSIDs (except for Guest). They currently use around 75 dACL and this cannot be removed/changed.

Running tests in their pre-prod lab

Setup:

9800 WLC currently running v17.15.2 (have tried with 17.12.3, same result).

CatC running v2.3.7.7-70047

ISE running v3.3 patch 3

EAP-TLS

When applying the dACL (Authorization Profile) then the client get "ACL failure", when removing the dACL then the client gets authenticated. Have configured cisco-av-pair (authorization profile) but the option "Method-List" is not visiable in ISE. Added this manually, using the list that dnac pushed into the WLC.

Have configured an dACL in the WLC, it works. This is not a feasible workaround since that most of the clients connects to the same SSID with different access policies and VLAN.

Have read a lot of posts on different forums and....they all state: use SDA and/or SGT.

Grateful for any tips, tricks and pointers.

m-avramidis · ‎12-15-2024

The proble has been "solved". The problem was that CatC removed the radius-server send vsa commands and changed the aaa method-list (authorization) default network group radius to: default network "dnac-xxx.xxx".

View solution in original post

MHM Cisco World · ‎12-12-2024

dACL must config in WLC before it push from AAA

are you sure you config the correct dACL name ?

MHM

m-avramidis · ‎12-12-2024

The problem is that there is +75 different dACLs (currently used/configured in the ISE), it is not managable for our customer to manually add/change these in the WLC. They have an IoT (SSID) network that have about 25 different dACLs, the client "picks" the first dACL policy that it "see" (when configured in the WLC) regardless if it is the correct dACL. Furthermoore, have been working with DNAC a number of years now and the one thing that is constant is that DNAC dont like configuration changes that is "done" outside of DNAC, it sometimes clears the configuration. Our customer is a municipality (+25000 users/students, +4000 access points, +150 sites), they want it to work as it is today (using the dACLs that is configured in ISE).

MHM Cisco World · ‎12-12-2024

picks dACL ??

the ISE return the dACL name via CoA, you can check if it issue of ISE or WLC by check the log live detail check the dACL name push to WLC

MHM

Flavio Miranda · ‎12-12-2024

@m-avramidis

Do you have "AAA override" enabled?

Check this

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221941-configure-troubleshoot-downloadable-ac.html#toc-hId-1273370968

m-avramidis · ‎12-13-2024

Yes it is

m-avramidis · ‎12-13-2024

I have taken a lot of screen shots, but I must "blur" them first before I can show them here. It will take a couple of hrs.

m-avramidis · ‎12-15-2024

The proble has been "solved". The problem was that CatC removed the radius-server send vsa commands and changed the aaa method-list (authorization) default network group radius to: default network "dnac-xxx.xxx".