I have a customer using flex connect APs with locally switched WLANs. Recently we started implementing ISE for WLAN authentication. The customer has around 20 AD groups and wanted to have different ACLs for users in different groups.
For this purpose I configured different authorization policies (contains airespace-ACL attribute from with the name of the flexconnect ACL configured in the WLC) for each group. Today when I tried to add a flexconnect ACL to the flexconnect group I got an error saying "maximum 16 policies are allowed on the group" and it stopped me from adding the ACL. I read that we have a restriction of 16 flexconnect ACLs per group. Since the WLAN is locally switched, I believe that the ACL has to be present in the flexconnect group. Is there any other way than using flexconnect ACLs in such a situation?.
Our requirement is to restrict access for wireless users based on their AD group with posture assessment. If anyone has come across the same situation kindly help.
Our ISE version is : 2.4 patch 8
Our WLC version is : 8.3.x
Our WLC model is : 5520
I see no alternative other than either to consolidate the 20 groups into 16 or fewer or to split the flexconnect group into 2 or more or to use another means for access control.
Thanks @hslai .. Unfortunately reducing the AD groups is not a solution since customer has around 8 domains. Their requirement is to use single SSID and based on the AD group the user should be restricted.
I am trying to think other alternatives like
1- Change the AP mode to Local
Currently the customer has two controllers sitting in two different data centers and have APs spanned in 5 branches. If we change the AP mode to local, then there will be more utilization on the WAN link since both data and management traffic will be tunnelled to the WLC.
2- Place a controller at each branch and change the AP mode to Local
The other option is to use separate WLC in each location and change the AP mode to Local. In this case the headache would be managing the controllers.
Just one question, would you know whether we can configure Aire space ACLs from Cisco Prime and push it to a number of controllers?.
Can you consolidate the ACLs at all so two or more AD Groups ultimately use the same ACL or do they all have to be different?
1) As you said local mode will increase WAN traffic so I don't recommend that.
2) You can deploy a virtual WLC to achieve this without extra cost if you have a server at each branch. Managing them isn't so hard with something like Cisco Prime where you can create templates and push configurations on bulk.
To answer your ACL Q.. yes you have a couple of choices with CPI. You can create the ACLs on one WLC then use CPI to 'discover' that and push to other WLCs (with a config template) or alternatively just create
Personally I would create those ACLs on one WLC, then perform a grep include acl "show run-config commands" on the CLI to grab the CLI config for all those ACLs. With that I would create a CLI template in CPI and deploy/push to all my new local WLCs.
Even if I put a virtual WLC in the branch, currently the vWLC does not support local mode right. Since it supports only Flexconnect mode we still have the limitation of 16 flex connect ACLs per flex connect group. So I assume we should put physical controllers in each branch and should go for local mode in the APs. The customer has prime 3.1 and it has option to create ACL templates. I created a test ACL and pushed it to a 5520 controller and it seems to be working good.
But do you know if there any limitation on the number of normal ACLs we can create on the WLC?. Maximum we may have is 100. I hope it will be supported.
I guess we cannot do central switching using vWLC. Kindly check the below link. Refer features not supported by vWLC.
Kindly check the below thread. It is a bit confusing.