Showing results for 
Search instead for 
Did you mean: 

c9800 Flex Connect Post Auth ACL Issue

Level 1
Level 1

I already have a TAC case open on this but I wanted to see if anyone else has run across this...

I am deploying new c9800-40's and have a requirement to do flex connect with CWA. I had this set up with my 5520's and it worked without issue but for some reason I am hitting a wall with the new configs.

I have the SSID set up and the CWA redirect and subsequent auth happens without issue. However when the post auth "internet-only" ACL gets applied on the AP, the client has no network access. The exact same ACL is used on a centrally switch WLAN and works without issue.

I've test this on both 3802i and 9136i AP's and it made no difference.

I have found plenty of documentation on how to set up the redirect (much of it vague) and none seem to actually discuss the post-auth ACL portion of the configuration. Any help would be greatly appreciated.

EDIT: In testing with TAC, we found that the ACL that is downloaded to the AP is blocking the user. It is not adding an exception for the client so the line in the ACL which blocks the 10.x network is effectively blocking the client and access to the gateway. We were able to test this theory by removing the line referencing the 10.x network and the client had access. However, this negates the security control by also allowing the client access to internal resources on a guest network. The same ACL processed by the controller (centrally switched vs. flex connect) works without issue. 

Post-Mortem: I worked with my account team, TAC and a wireless engineer to test this both on AIR-OS and on the IOS-XE controllers. The behavior is the same. After much debate, it was determined that the ACL behavior is by design as the AP Operating System does not currently process ACL's in the same manner as switches, routers or wireless controllers. As a result you are left with solutions that require additional configuration and or infrastructure to support it. So, you can leave it centrally switched or add infrastructure and or configuration to accommodate security policy around locally switched networks (i.e. ACL's on upstream switch, firewall gateway, VRF's etc...) 

I have requested that a feature request be opened on this issue as I firmly believe that if I can push policy via a NAC or SGT type solution to pretty much any other Cisco Product that the AP should behave in the same manner. Hopefully, this functionality will come in later releases. 

Here is the Wireless Configuration:


wlan flex-test 7 flex-test
 assisted-roaming prediction
 dot11ax target-waketime
 dot11ax twt-broadcast-support
 mac-filtering ise-radius-aaa
 scan-report association
 no security ft adaptive
 no security wpa
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security wpa akm dot1x
 security dot1x authentication-list ise-radius-aaa
 no shutdown

wireless profile flex cwa-flex-profile
 acl-policy PERMIT-ANY
 ip http client proxy 0
 native-vlan-id 50
 vlan-name flex-client-wireless
  vlan-id 50

wireless profile policy cwa-portal-flex-policy-profile
 aaa-policy dvn-aaa-policy
 no accounting-interim
 accounting-list ise-radius-aaa
 no central dhcp
 no central switching
 no flex umbrella dhcp-dns-option
 ipv4 flow monitor wireless-avc-basic input
 ipv4 flow monitor wireless-avc-basic output
 ipv6 flow monitor wireless-avc-basic-ipv6 input
 ipv6 flow monitor wireless-avc-basic-ipv6 output
 vlan 50
 no shutdown

wireless tag site ap-join-flex-site-tag
 ap-profile flex-test-ap-join-profile
 flex-profile cwa-flex-profile
 no local-site

ap profile flex-test-ap-join-profile
 country US
 mgmtuser username [REDACTED] password [REDACTED] secret [REDACTED]
 ntp ip
 no oeap link-encryption
 no oeap local-access
 no oeap provisioning-ssid
 preferred-mode ipv4
 statistics ap-system-monitoring alarm-enable
 statistics ap-system-monitoring enable
 statistics ap-radio-monitoring action radio-reset
 statistics ap-radio-monitoring alarm-enable
 statistics ap-radio-monitoring enable
 syslog host

ap 6871.61f2.2a04
 policy-tag flex-test-policy-tag
 rf-tag dvn-campus-rf-tag
 site-tag ap-join-flex-site-tag


Here are my ACL's:


ip access-list extended ACL-INTERNET-ONLY
 10 permit udp any any eq bootps
 20 permit udp any any eq bootpc
 30 permit udp any any eq domain
 40 permit tcp any <---ACCESS TO ISE PSN's Post-Auth
 50 permit tcp any <---ACCESS FROM ISE PSN's Post-Auth
 60 deny ip any
 70 deny ip any
 80 deny ip any
 90 permit ip any any

ip access-list extended ACL-WEBAUTH-REDIRECT
 10 deny ip any
 20 deny ip any
 30 deny udp any any eq domain
 40 deny udp any eq domain any
 50 permit tcp any any eq www


I see the client in a run state and in ISE I see a full complete auth against the CWA portal. 


MAC Address        AP Name        Type ID       State         Protocol Method     Role
2222.98b7.0b43     AP6871-61F2-2A04   WLAN 7    Run           11ax(5)  MAB        Local 


Here I see the association and auth applied:


WLC1# sh wireless client mac-address 2222.98b7.0b43 detail 
Client MAC Address : 2222.98b7.0b43
Client MAC Type : Locally Administered Address
Client DUID: NA
Client IPv4 Address :
Client IPv6 Addresses : fe80::41f:24f5:bbf7:850
Client Username : XXXXXXXXXXXXXX
AP MAC Address : 6871.6196.0630
AP Name: AP6871-61F2-2A04
AP slot : 1
Client State : Associated
Policy Profile : cwa-portal-flex-policy-profile
Flex Profile : cwa-flex-profile
Wireless LAN Id: 7
WLAN Profile Name: flex-test
Wireless LAN Network Name (SSID): flex-test
BSSID : 6871.6196.063f
Connected For : 150 seconds 
Protocol : 802.11ax - 5 GHz
Channel : 161
Client IIF-ID : xxx
Association Id : 2
Authentication Algorithm : Open System
Idle state timeout : N/A
Session Timeout : 1800 sec (Remaining time: 1594 sec)
Session Warning Time : Timer not running
Input Policy Name  : None
Input Policy State : None
Input Policy Source : None
Output Policy Name  : None
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Disabled
Fastlane Support : Enabled
Client Active State : Active
Power Save : OFF
Current Rate : 24.0
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
AAA QoS Rate Limit Parameters:
  QoS Average Data Rate Upstream             : 0 (kbps)
  QoS Realtime Average Data Rate Upstream    : 0 (kbps)
  QoS Burst Data Rate Upstream               : 0 (kbps)
  QoS Realtime Burst Data Rate Upstream      : 0 (kbps)
  QoS Average Data Rate Downstream           : 0 (kbps)
  QoS Realtime Average Data Rate Downstream  : 0 (kbps)
  QoS Burst Data Rate Downstream             : 0 (kbps)
  QoS Realtime Burst Data Rate Downstream    : 0 (kbps)
  Move Count                  : 0
  Mobility Role               : Local
  Mobility Roam Type          : None
  Mobility Complete Timestamp : 07/11/2023 12:39:47 CDT
Client Join Time:
  Join Time Of Client : 07/11/2023 12:39:47 CDT
Client State Servers : None
Client ACLs : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 343 seconds 
Policy Type : N/A
Encryption Cipher : None
Transition Disable Bitmap : 0x00
User Defined (Private) Network : Disabled
User Defined (Private) Network Drop Unicast : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN Override after Webauth : No
VLAN : 50
Multicast VLAN : 0
WiFi Direct Capabilities:
  WiFi Direct Capable           : No
Session Manager:
  Point of Attachment : capwap_9040000e
  IIF ID             : xxx
  Authorized         : TRUE
  Session timeout    : 1800
  Common Session ID: xxx
  Acct Session ID  : xxx
  Last Tried Aaa Server Details:
        Server IP :
  Auth Method Status List
        Method : MAB
                SM State        : TERMINATE
                Authen Status   : Success
  Local Policies:
        Service Template : wlan_svc_cwa-portal-flex-policy-profile (priority 254)
                VLAN             : 50
                Absolute-Timer   : 1800
  Server Policies:
                Filter-ID        : ACL-INTERNET-ONLY
  Resultant Policies:
                Filter-ID        : ACL-INTERNET-ONLY
                VLAN             : 50
                Absolute-Timer   : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 0
Fast BSS Transition Details :
  Reassociation Timeout : 0
11v BSS Transition : Implemented
11v DMS Capable : No
QoS Map Capable : No
FlexConnect Data Switching : Local
FlexConnect Dhcp Status : Local
FlexConnect Authentication : Central
Client Statistics:
  Number of Bytes Received from Client : 299981
  Number of Bytes Sent to Client : 2507060
  Number of Packets Received from Client : 1695
  Number of Packets Sent to Client : 2121
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -32 dBm
  Signal to Noise Ratio : 64 dB
Fabric status : Disabled
Radio Measurement Enabled Capabilities
  Capabilities: Link Measurement, Passive Beacon Measurement, Active Beacon Measurement, Table Beacon Measurement, Statistics Measurement, AP Channel Report
Client Scan Report Time : Timer not running
Client Scan Reports 
  Last Report @: 07/11/2023 12:43:00
Assisted Roaming Neighbor List 
Nearby AP Statistics:
EoGRE : Pending Classification
  Device Protocol  : HTTP
    Type             : 1    115 
    Data             : 73
    00000000  00 01 00 6f 4d 6f 7a 69  6c 6c 61 2f 35 2e 30 20  |...oMozilla/5.0 |
    00000010  28 69 50 68 6f 6e 65 3b  20 43 50 55 20 69 50 68  |(iPhone; CPU iPh|
    00000020  6f 6e 65 20 4f 53 20 31  36 5f 35 5f 31 20 6c 69  |one OS 16_5_1 li|
    00000030  6b 65 20 4d 61 63 20 4f  53 20 58 29 20 41 70 70  |ke Mac OS X) App|
    00000040  6c 65 57 65 62 4b 69 74  2f 36 30 35 2e 31 2e 31  |leWebKit/605.1.1|
    00000050  35 20 28 4b 48 54 4d 4c  2c 20 6c 69 6b 65 20 47  |5 (KHTML, like G|
    00000060  65 63 6b 6f 29 20 4d 6f  62 69 6c 65 2f 31 35 45  |ecko) Mobile/15E|
    00000070  31 34 38                                          |148             |
Max Client Protocol Capability: Wi-Fi6 (802.11ax)
WiFi to Cellular Steering : Not implemented
Cellular Capability : N/A
Advanced Scheduling Requests Details:
  Apple Specific Requests(ASR) Capabilities/Statistics:
    Regular ASR support: DISABLED


And on the AP I can see the ACL being applied to the client but it shows a bunch of drops:


AP6871-61F2-2A04#sh client access-lists post-auth all 2222.98b7.0b43
Post-Auth URL ACLs for Client: 22:22:98:B7:0B:43

IPv6 ACL: 

Resolved IPs for Client: 22:22:98:B7:0B:43
HIT-COUNT       URL             ACTION  IP-LIST

        rule 0: allow true and ip proto 17 and dst port 67
        rule 1: allow true and ip proto 17 and dst port 68
        rule 2: allow true and ip proto 17 and dst port 53
        rule 3: allow true and dst mask and ip proto 6
        rule 4: allow true and src mask and ip proto 6
        rule 5: deny true and dst mask
        rule 6: deny true and dst mask
        rule 7: deny true and dst mask
        rule 8: allow true
No IPv6 ACL found
         Acl name Quota Bytes left In bytes Out bytes In pkts Out pkts Drops-in Drops-out
ACL-INTERNET-ONLY     0          0     1756     38725       8      374      348         9



20 Replies 20

Aomar bahloul

@Rich R 

This is another instance of cisco being consistently inconsistent! It seems like you have a better understanding of the AP ACLs can you tell me how you would configure this ACL to work as an AP ACL:

permit ip any host
permit tcp any host eq 445
permit tcp any host eq 443
deny ip any
deny ip any
deny ip any
permit ip any any

ha ha - didn't you know the Cisco developers' motto is "consistently inconsistent" ? <smile>

Seriously though - as I mentioned above you have forgotten to allow the traffic in both directions!
You haven't told us what your client range is so we can't complete but let's assume your client range is then your 4th ACL entry (deny ip any will drop the return traffic to your clients - just doing what you tell it to do...  So you would the rewrite it like this to allow the traffic in both directions and only deny your client range trying to reach the RFC1918 ranges not the replies to your client range:
permit ip any host
permit ip host any

permit tcp any host eq 445
permit tcp host eq 445 any
permit tcp any host eq 443
permit tcp host eq 443 any

deny ip
deny ip
deny ip
permit ip any any


Aomar bahloul

@Rich R 

On the actual ACL I deployed I did allow traffic on both directions the ACL I provided is a normal ACL not the AP ACL. 

The part I didn't figure out was the the deny statements. 

Thank you for your help. 

No problem - glad to help.  Don't forget to mark as solution if that solved your problem.

was a bug ID ever assigned to this?

@jcatanzaro As I highlighted above:
@xxkozxx said above "After much debate, it was determined that the ACL behavior is by design as the AP Operating System" so as far as Cisco is concerned this is not a bug.

If you want this behaviour changed you should raise an enhancement request through your Cisco account team.  Note that to have any hope of being taken up by the Wireless Networks Business Unit your request should have a substantial business case supporting it (meaning $$$$ value) and ideally backing from other customers with similar business cases.

Review Cisco Networking for a $25 gift card