Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6816
Views
5
Helpful
10
Replies

ISE 1.2: Airspace ACL vs DACL

jacovr
Level 1
Level 1

‎02-17-2014 03:17 AM - edited ‎07-05-2021 12:12 AM

Can someone please shed some light here:

I have a 5508 WLC & ISE 1.2.   I configured Guest Access through the use of a Sponsor Portal, and got it working.

I now want to restrict my Guest users to access the internet only and not the rest of my network.

Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.

I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.

Any advice please.

Labels:
0 Helpful
10 Replies 10

Victor Vasantha Kumar
Level 1
Level 1

‎02-17-2014 03:42 AM

Hi ,

Do you want to set this up only via ISE/WLC ?

You can rather create an IP ACL on the Neighbouring L3 gear to block internal resources.

And it is always recomended this way.

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
0 Helpful

jacovr
Level 1
Level 1
In response to Victor Vasantha Kumar

‎02-17-2014 03:45 AM

Hi Victor.

I have tried that as well, but then my authentication & redirection stops working.

Any idea what the ACL on the L3 Switch should look like. 

Jaco

0 Helpful

Victor Vasantha Kumar
Level 1
Level 1
In response to jacovr

‎02-17-2014 03:55 AM

Since ISE is the only device involved for auth and redirection, at a basic level the ACLs should look like,

Source      Dest                          ACTION

ANY                          PERMIT

ANY           DENY

ANY      ANY                            PERMIT

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
0 Helpful

jacovr
Level 1
Level 1
In response to Victor Vasantha Kumar

‎02-17-2014 04:08 AM

Hi Victor.

This is my acl:  (with 172.20.30.8  = ISE, 172.20.7.245 = Firewall & 172.20.30.250 = WLC )

ip access-list extended Guest-Wifi

permit ip any host 172.20.7.245

permit ip any host 172.20.30.250

permit ip any host 172.20.30.8

deny   ip any any

The moment I apply the ACL to my VLAN int - redirection stop working and authentication is bypassed.

any Ideas why this will happen ?

0 Helpful

jacovr
Level 1
Level 1
In response to jacovr

‎02-17-2014 07:38 AM

I got it working using an Airspace ACL - Using exactly the same config as in the DACL (which was not working)

0 Helpful

Victor Vasantha Kumar
Level 1
Level 1
In response to jacovr

‎02-17-2014 09:04 AM

Excellent !!

Please paste the config that worked .. so that it will be helpfull for others ( if they run into a similar requirement).

Thanks

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Victor Vasantha Kumar

‎12-04-2017 05:31 AM

The Airspace ACL is configured in the authorization profile.  It is a common task in the same location as the DACL.  The ACL has to be configured on the WLAN controller.  The ISE Authorization profile has to be configured with the same name of the ACL on the WLAN controller that you are trying to assign.Identity Services Engine - Airespace ACL.png

 

Thanks,

Alex

Preview file
8 KB
0 Helpful

jj27
Spotlight
Spotlight
In response to jacovr

‎02-18-2014 08:16 PM

In ISE, dACLs are only applicable to switches.  They are ineffective with wireless connections.

An Airespace ACL is the way to go and it looks like you got it working.

The ACL should be:

permit Inbound for any to the ISE IPs and permit outbound from ISE to any.

deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)

permit any to any  in any direction

GuestAccess.png    

kaaftab
Level 4
Level 4
In response to jj27

‎02-19-2014 07:14 AM

For reference check cisco HowTo guide for ISE deployment they are very helpful and cover all the aspect of ISE.

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to jj27

‎02-19-2014 08:59 AM

+5 JJ ..

Only "named" ACLs work with the WLC.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card