Re: WLC 9800 ISE dACL question.

joeharb · ‎06-07-2021

I am trying to get dACL's work in a new WLC 9800 deployment. I have found the following statement but I am not sure what it actually means..

Downloadable Access Control List (DACL) will fail if you use a named authorization network method list that is not sent from AAA server, as part of Access-Accept.

Examples of named and default authorization network are given below:

Default:

aaa authorization network default AAA_EXT

Named:
```
aaa authorization network XYZ AAA_EXT
```

Also are dACL's supported in a locally switched/flex connect deployment?

Thanks,

Joe

Grendizer · ‎06-22-2021

dACL is not supported on the 9800 “as of now”, check this enhancement bug CSCvv16183 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

the engineering team will add that to future releases, in current state if dACL is used, it may cause memory corruption which can result in crashes in different 9800 processes, so, avoid any dACL config even if it works partially.

jamessciortino0060 · ‎09-25-2021

Quick follow up - we have been waiting patiently for this feature but have not yet seen its availability in any current IOS-XE release for the C9800. Which version can we expect to see it?

Our organization also submitted a feature request. There is a strong business case to leverage dACLs.

mattw · ‎12-23-2021

Hello @Grendizer ,

Do you know if the reported memory corruption issue is still present in 17.3.3? I really need to get DACLs working for a customer.

Thank you!

Grendizer · ‎12-23-2021

It is fixed in 17.6 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx59515

DACL still not officially supported by the 9800 even if it partially working for you.

mattw · ‎12-23-2021

Thank you.

Ethan Grinnell · ‎08-12-2021

I did some testing with dACLs and got it to work, I haven't tested exhaustively other than verifying that it functions. To answer your question it means that the method list needs to actually be named "default" for dACLs to function correctly without anything special from the RADIUS server. If you want to use a different method list name (For example "RADIUS-Author-mList") then the RADIUS server needs to tell the WLC to use that method list. The method list needs to exist in the WLC, but the WLC can't use it unless the RADIUS server says so. If you use a method list with a name other than "default" and the RADIUS server doesn't specify that method list, you'll get an error from the WLC. The error changes with software versions. In one version I saw something to the effect of "ACL Error", in another I saw a message that said the WLC wasn't able to communicate with ISE. But the actual problem was that the WLC didn't know which method list to use.

Your ISE access-accept authorization profile would look something like this one that I used for a CWA portal

I wasn't aware of the memory corruption issue. Since it isn't officially supported I chose not to use dACLs anyway.

maxturpin · ‎09-25-2024

This is SPOT on. Did the same thing for Clearpass as well. AV-Pair - Method-List="<name>"

Appreciate your help on this Ethan.

Grendizer · ‎12-28-2022

UPDATE:

DACL is supported officially on 17.10 release and after

michael.burke · ‎04-04-2024

DACL not supported in FlexConnect.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_dACL.html#guidelines-and-restrictions-for-dacl