cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2585
Views
0
Helpful
10
Replies

Cisco WLC Flexconnect DACL with ISE not working

islam.kamal
Level 10
Level 10

I have an integration between Cisco ISE and WLC 9800. All AP with flexconnect mode, am trying to restrict access for some internal applications using ISE.

I created the ACL on WLC "extended ACL".

On ISE "profile authorization", i tried with the following:-

1- Airspace ACL "using created WLC ACL" not working.

2-ACL "filter In" not working.

 

Any solution to push the ACL from ISE to WIFI users who connect to WIFI using flexconnect APs, kindly share the solution.

1 Accepted Solution

Accepted Solutions

Hi Kamal,

Below are radius attributes supported by 9800's. Configure them in you Cisco ISE Authorization profile.

  1. Tunnel-Private-Group-ID = 1 <VLAN ID or name>
  2. Tunnel-Type = 1:13
  3. Tunnel-Medium-Type = 1:6
  4. Airespace:Airespace-Interface-Name = <name of vlan or vlan goup on WLC)
  5. Airespace-ACL-Name = <ACL name configured in the WLC)

Highlighted is the one you should be focusing on. As mentioned before please make sure that you push the ACL to AP by configuring the Flex profile.

View solution in original post

10 Replies 10

islam.kamal
Level 10
Level 10

Any advise,please.

Arshad Safrulla
VIP Alumni
VIP Alumni

9800 doesn't officially support support DACL's yet. Please refer the enhancement bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

You might be able to get it working since controller itself is running IOS-XE code, but however it is not officially supported and caused behavior which might impact other primary functions of WLC.

islam.kamal
Level 10
Level 10

Yes, i know about the bug. Is there any solution to restrict or deny some IPs for WIFI users.

WLC controller IOS-XE C9800.

ISE 2.7

Arshad Safrulla
VIP Alumni
VIP Alumni

You must create the ACL in WLC, and then make sure that is pushed to AP's via making required configuration changes in Flex profiles.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#anc23:~:text=of%20the%20rules.-,Flexconnect%20Local%20Switching%20Access%20Points%20ONLY,-What%20if%20you

Flex Profile >> Policy ACL

Also Make sure that you are running Cisco recommended IOS-XE codes as some older and short-lived codes have limitations with regards to Radius implementation. 

Refer the below post which is very helpful as well.

Solved: WLC C9800 AirSpace ACL does not get applied - Cisco Community

islam.kamal
Level 10
Level 10

Yes, now the issue how can i call the ACLwhich created on WLC by ISE.

Also the ACL to deny some application, not for redirect "i have to do a check mark for central web"

Hi Kamal,

Below are radius attributes supported by 9800's. Configure them in you Cisco ISE Authorization profile.

  1. Tunnel-Private-Group-ID = 1 <VLAN ID or name>
  2. Tunnel-Type = 1:13
  3. Tunnel-Medium-Type = 1:6
  4. Airespace:Airespace-Interface-Name = <name of vlan or vlan goup on WLC)
  5. Airespace-ACL-Name = <ACL name configured in the WLC)

Highlighted is the one you should be focusing on. As mentioned before please make sure that you push the ACL to AP by configuring the Flex profile.

islam.kamal
Level 10
Level 10

Thanks Arshad, but still unable to apply the ACL and user has all permit access.I attached the configuration based on your recommendation.

islam.kamal
Level 10
Level 10

Appreciate your support, the WLC ACL in place and ISE use the same ACL "airespace ACL name".

 

islam.kamal
Level 10
Level 10

any idea

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi Islam,

Yes, ACL name and the Airspace ACL name must be same. You can do a radioactive trace from 9800 WLC to see what parameters ISE is sending and how the client is reacting to it. Alternatively, you can also do a PCAP to confirm radius messages are sent with the required parameters. 

Review Cisco Networking for a $25 gift card