Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
5
Helpful
2
Replies

ACL on 9800-CL

mhapsekar.suyog
Level 1
Level 1

‎08-19-2020 02:16 AM - edited ‎07-05-2021 12:25 PM

Hello,

We have deployed 9800-CL Wireless controller in the AWS cloud. As we know it supports only local switching in the cloud hence the guest user subnet is configured in the LAN.

 

Guest user is getting successfully authenticated on the internal captive portal on the WLC and able to access the internet.

 

To stop guest user from accessing company's internal resources, we have applied 'internet only' ACL (which blocks guest subnet from accessing internal network) in the VLAN tab of the flex profile however users are still able to access the internal network.

 

May I know if we are applying the ACL at right place? or should this ACL be under policy_ACL tab in the flex profile?


As I understand policy_acl tab in Flex profile is only for webauth ACLs?

 

Regards,

0 Helpful
2 Replies 2

Rich R
VIP
VIP

‎08-20-2020 09:44 AM

Guest users should be on a separate VLAN that does not have any access at all to internal resources!
You should not be relying on an ACL to protect you!
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

RosesTin
Level 1
Level 1

‎08-26-2020 04:02 AM

Although the VLAN part of the flex profile allows you to assign an ACL it doesn't push it to the AP itself. For that you'll need to use the Policy ACL tab. Just select the appropriate ACL in there, with nothing else and it'll get added to the AP.

 

With Flexconnect you can also still assign the ACL to the Policy Profile associated to the WLAN. In this case you'd still need to push the ACL to the AP as a Policy ACL.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card