Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1712
Views
4
Helpful
3
Replies

ACL for Guest Portal redirect

Go to solution
ricpe
Level 1
Level 1

‎08-08-2023 07:03 AM

Hi,

I need to set up a Guest Portal for a customer using Cisco ISE + Cisco 5520 vWLC. I have created a redirect ACL under Security -> Access Control Lists, but I guess I'm trying to figure out how the ACL is applied to the specific Guest SSID.

- The SSID does not have FlexConnect Local Switching enabled.

- The access points is in FlexConnect mode.

- The access points are members of an AP-group that broadcasts the SSID.

- The access points are members of a FlexConnect group.

Now, what I'm trying to wrap my head around is how the ACL is applied to the SSID? The Guest SSID is mapped to an Interface (Guest), which uses another ACL (for traffic control). Where do I apply the redirect ACL I created so that clients connecting to the SSID will be redirected to ISE? I know there is a setting under WLAN -> Advanced ->  Override Interface ACL, but I guess this overrides the ACL used for traffic control? I want both these ACLs applied to the SSID. I also know you can apply FlexConnect ACLs to FlexConnect groups, but since the SSID is not mapped to a VLAN in the WLAN-VLAN mapping tab I guess the ACL won't apply to the Guest SSID?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
agrissimanis
Level 1
Level 1

‎08-11-2023 04:21 AM - edited ‎08-11-2023 04:37 AM

If the SSID is not Flexconnect enabled, then you don't need to do anything special, just configure the redirect ACL on the controller. It doesn't need to mapped to the SSID, it just needs to be defined so it is available for use if the RADIUS server requests it to be applied to a specific client session.

View solution in original post

3 Replies 3

Go to solution
agrissimanis
Level 1
Level 1

‎08-11-2023 04:21 AM - edited ‎08-11-2023 04:37 AM

If the SSID is not Flexconnect enabled, then you don't need to do anything special, just configure the redirect ACL on the controller. It doesn't need to mapped to the SSID, it just needs to be defined so it is available for use if the RADIUS server requests it to be applied to a specific client session.

Go to solution
ricpe
Level 1
Level 1
In response to agrissimanis

‎08-11-2023 05:02 AM

Thanks for the help! While reading some guides for implementing this I figured this must be the way if you look at the traffic flow. I was always thinking that when the client connects, the WLC must push out the ACL to the AP. But after reading some guides, Cisco ISE must have the exact same ACL configured so that when a client connects, the WLC will send a MAB request to ISE which then pushes the ACL to the WLC (who already has this configured) who sends it to the AP. I thought the ACL-Redirect happened somewhere between Client - AP or AP - WLC.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to ricpe

‎08-11-2023 05:10 AM

Not exactly. The ISE pushed the ACL name as a RADIUS attribute to the WLC, not the ACL itself. The ACL still needs to be configured on the WLC where it gets applied to the session.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card