02-09-2023 12:36 AM
I am trying to create a ACL to deny access for wired and wireless clients, I am using ISE 3.1 and have 3504 WLC on version 8.10.151.0 . I created a Dacl in ISE and applied it to an authorization profile and it is working as intended but after doing some research it sounds like Dacl only works for wired clients and to enforce it on wireless clients i would need to create an ACL on the WLC. I could not find any good documentation on how to integrate the two. Do I Create the ACL on the WLC under Security->ACL and then use the same ACL name in the "Airespace ACL Name" field in ISE under authorization policy? If not how do I go about doing this? Is it possible to push the Dacl to the WLC? Or is it possible to push a general ACL out to every WLC with a name ISE recognizes? When I created this student_test_acl on my WLC and then added it to the policy in ISE it seems like it was apply deny ip any any to my device, I'm assuming because it didnt recognize the ACL in ISE? Can anyone point me in the right direction or give me some type of way to leverage ISE's profiling to force an ACL down to wireless clients to prevent IP connectivity to certain addresses? SGT's/RBACL in DNA just seems to apply to port/protocols and not IP's.
02-09-2023 01:03 AM
DACL is not supported by any WLC as of today.
You can refer the below link for how ACL works - https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html
Regarding ISE and WLC integration with ACL enforcements;
02-09-2023 01:14 AM
For the brave ones, it is already supported in on 9800 WLCs version 17.9 for centralised WLANs. But for the OP, the AireOS will never get this feature.
02-09-2023 01:38 PM
Yes - you have the right idea. ACL on the controller and specify in the authorization result on ISE:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = Allow_only_good_ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide