I am trying to create a ACL to deny access for wired and wireless clients, I am using ISE 3.1 and have 3504 WLC on version 8.10.151.0 . I created a Dacl in ISE and applied it to an authorization profile and it is working as intended but after doing some research it sounds like Dacl only works for wired clients and to enforce it on wireless clients i would need to create an ACL on the WLC. I could not find any good documentation on how to integrate the two. Do I Create the ACL on the WLC under Security->ACL and then use the same ACL name in the "Airespace ACL Name" field in ISE under authorization policy? If not how do I go about doing this? Is it possible to push the Dacl to the WLC? Or is it possible to push a general ACL out to every WLC with a name ISE recognizes? When I created this student_test_acl on my WLC and then added it to the policy in ISE it seems like it was apply deny ip any any to my device, I'm assuming because it didnt recognize the ACL in ISE? Can anyone point me in the right direction or give me some type of way to leverage ISE's profiling to force an ACL down to wireless clients to prevent IP connectivity to certain addresses? SGT's/RBACL in DNA just seems to apply to port/protocols and not IP's.