09-25-2022 11:29 AM
I have an integration between Cisco ISE and WLC 9800. All AP with flexconnect mode, am trying to restrict access for some internal applications using ISE.
I created the ACL on WLC "extended ACL".
On ISE "profile authorization", i tried with the following:-
1- Airspace ACL "using created WLC ACL" not working.
2-ACL "filter In" not working.
Any solution to push the ACL from ISE to WIFI users who connect to WIFI using flexconnect APs, kindly share the solution.
Solved! Go to Solution.
09-26-2022 02:56 AM
Hi Kamal,
Below are radius attributes supported by 9800's. Configure them in you Cisco ISE Authorization profile.
Highlighted is the one you should be focusing on. As mentioned before please make sure that you push the ACL to AP by configuring the Flex profile.
09-25-2022 11:50 PM
Any advise,please.
09-26-2022 12:53 AM
9800 doesn't officially support support DACL's yet. Please refer the enhancement bug
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183
You might be able to get it working since controller itself is running IOS-XE code, but however it is not officially supported and caused behavior which might impact other primary functions of WLC.
09-26-2022 12:59 AM
Yes, i know about the bug. Is there any solution to restrict or deny some IPs for WIFI users.
WLC controller IOS-XE C9800.
ISE 2.7
09-26-2022 01:20 AM - edited 09-26-2022 01:28 AM
You must create the ACL in WLC, and then make sure that is pushed to AP's via making required configuration changes in Flex profiles.
Flex Profile >> Policy ACL
Also Make sure that you are running Cisco recommended IOS-XE codes as some older and short-lived codes have limitations with regards to Radius implementation.
Refer the below post which is very helpful as well.
Solved: WLC C9800 AirSpace ACL does not get applied - Cisco Community
09-26-2022 01:46 AM
Yes, now the issue how can i call the ACLwhich created on WLC by ISE.
Also the ACL to deny some application, not for redirect "i have to do a check mark for central web"
09-26-2022 02:56 AM
Hi Kamal,
Below are radius attributes supported by 9800's. Configure them in you Cisco ISE Authorization profile.
Highlighted is the one you should be focusing on. As mentioned before please make sure that you push the ACL to AP by configuring the Flex profile.
09-26-2022 03:25 AM
09-26-2022 03:33 AM
Appreciate your support, the WLC ACL in place and ISE use the same ACL "airespace ACL name".
09-26-2022 06:21 AM
any idea
09-26-2022 06:30 AM - edited 09-26-2022 06:41 AM
Hi Islam,
Yes, ACL name and the Airspace ACL name must be same. You can do a radioactive trace from 9800 WLC to see what parameters ISE is sending and how the client is reacting to it. Alternatively, you can also do a PCAP to confirm radius messages are sent with the required parameters.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide