Solved: Wireless Authentication and dACLs

Rendraska · ‎05-06-2019

Hello.

I need help. Right now I have a cisco WLC working with ISE. Right now users using mobile/laptop when they want to authenticate, they just need to input their username and password after clicking the SSID (using 802.1x authentication).

Now, my client ask me to make changes.

1. Authentication will be going through a web/captive portal. Sounds simple enough.

2. Each user will be limited on what they can access. This is the problem.

What I'm thinking is, I make a dACL on ISE and attach it to the user as a custom parameters. Is that possible without the client having to install any programs? From my experience, I've made this one but for VPN and the client has to use a client program in their laptop to login. My question is, can I implement this in standard wireless setup as well, but without a client program for the mobile phone/laptop/tablet?

Aside from that, is there any other solution? I've read I can also create ACLs in WLC but I never done that before.

Thank you in advance.

Sathiyanarayanan Ravindran · ‎05-07-2019

Yes, But the ACL has to be created in the WLC and the ACL name has to be configure on the Authorization policy results.

On the Local Mode APs:

You have to create ACL on the WLC by going to the Security --> Access Control List. For an example if you are configuring ACL name called ProjectUserAccess.

WLC Configuration if Local Mode APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.

On the Flexconnect APs:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs

WLC Configuration if Flexconnect APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
In the AP you have to go to Flexconnect --> External WebAuth ACL --> Policies and select the policy ACL which you want to apply and add it.

WLC Configuration if you have Flexconnect AP group:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs
On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
Wireless --> FlexConnect Groups --> Open the Group where the APs are there, then go to ACL Mapping --> Policies and the ACLs.

ISE Configuration:

On the Authorization result profile you have to call the ACL name ProjectUserAccess on Airespace ACL Name.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

View solution in original post

Sathiyanarayanan Ravindran · ‎05-07-2019

Yes, But the ACL has to be created in the WLC and the ACL name has to be configure on the Authorization policy results.

On the Local Mode APs:

You have to create ACL on the WLC by going to the Security --> Access Control List. For an example if you are configuring ACL name called ProjectUserAccess.

WLC Configuration if Local Mode APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.

On the Flexconnect APs:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs

WLC Configuration if Flexconnect APs:

On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
In the AP you have to go to Flexconnect --> External WebAuth ACL --> Policies and select the policy ACL which you want to apply and add it.

WLC Configuration if you have Flexconnect AP group:

You have to create ACL on the WLC by going to Security --> Flexconnect ACLs
On the WLAN go to advanced and check the AAA override option to accept the Dynamic authorization passed by ISE.
On the radius server settings you have to enable Support of CoA.
Wireless --> FlexConnect Groups --> Open the Group where the APs are there, then go to ACL Mapping --> Policies and the ACLs.

ISE Configuration:

On the Authorization result profile you have to call the ACL name ProjectUserAccess on Airespace ACL Name.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Rendraska · ‎05-07-2019

Nice. Thank you for the solution. I'll try it out later.

Haydn Andrews · ‎05-07-2019

The WLC wont support a dACL.

You have to preconfigure the named ACL on the WLC, and ISE will send the name. The name should be identical in the ISE policy manger and the WLC.

you can do named ACLs without client applications

the other option would be to change the client to different interfaces/ vlans where they have the restrictions on them.

The WLAN will need AAA override enabled for both options

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Rendraska · ‎05-07-2019

OK, thank you for the reply. I'll try the other option too.