cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3395
Views
5
Helpful
5
Replies

"Override Interface ACL" or "Per-User ACL" on HREAP

kevin_miller
Level 1
Level 1

Hello all.

   I'm trying to find the best way to limit a specific "generic" account's wireless access throughout an enterprise (both local and HREAP sites).  Let's say I want this user account to be able to access only two IPs.  I can do it locally with no problems.  My issue is HREAP.  Is it possible to use either the "override interface acl" feature of the WLC or "per user ACL" feature of the WLC/ACS to accomplish this?  I've tried the Override ACL feature and it doesn't seem to function on HREAP.  Or, is there a better way?

PS - I know I can create a new local VLAN, map an new SSID to it, and apply an ACL on the router.  But if you're talking hundreds of remote sites, that's not what I want.

Thanks!

1 Accepted Solution

Accepted Solutions

correct, you'd have to backhaul to the WLC.

For HREAP, it's designed to follow the local routing rules of the site/subnet.  So an ACL at the local site would work, but doesn't help when it's used with a generic login, unless you were to block the entire subnet.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

5 Replies 5

Stephen Rodriguez
Cisco Employee
Cisco Employee

Pretty sure neither of those will work, as the traffic is dropped directly to the wire and not back hauled to the WLC.

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I was afraid of that.  Any other idea of how I may be able to accomplish what I'm looking to do?

Thanks Stephen!

I can only think of two ways to do this.

1.) Configure a 'special' WLAN for the generic user, and use the WLC ACL to block them.

2.) 'Special' VLAN at the remote site, and put the user there.  (which I can understand not wanting to do as it doesn't scale very well.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

With your option 1, I'm still forced to send all traffic back to the WLC (no ACL with HREAP support at all)?

Thanks again Steve!

BTW - This seems to be a feature that customers would want. . .  I can't justify a controller (no matter how small) at each of my tiny remote sites (1-2 APs per location).

correct, you'd have to backhaul to the WLC.

For HREAP, it's designed to follow the local routing rules of the site/subnet.  So an ACL at the local site would work, but doesn't help when it's used with a generic login, unless you were to block the entire subnet.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: