Re: WLC and ACL

craiglebutt · ‎10-08-2021

I've been tasked to allow a certain AD account to logon and enable a automated ipad enrolment proof of concept.

ISE will force the user on to a certain vlan that will have restricted access to the internet, but I also wanted it to stop that vlan being able to connect to any thing else on the network.

The reason I want to block it, is if the account gets out, don't want them to have access to the internal network

So was looking at ACL (don't use often)

Allow UDP DNS ANY ANY ANY

Allow UDP ANY DNS ANY ANY

Allow TCP HTTP ANY ANY ANY

Allow TCP ANY HTTP ANY ANY

Allow TCP HTTPs ANY ANY ANY

Allow TCP ANY HTTPs ANY ANY so this should allow to use internal DNS I'm

guessing should be able to go to the internet.

Allow IP Subnet 0.0.0.0 ANY ANY ANY

Allow 0.0.0.0 IP Subnet ANY ANY ANY

Deny 0.0.0.0 0.0.0.0 any any any any any

Arshad Safrulla · ‎10-11-2021

ACL is wrong, it is allowing any HTTP, HTTPS, DNS to any IP.

Example can be found here

https://community.cisco.com/t5/security-documents/configuring-posture-services-with-the-cisco-identity-services/ta-p/3154278#:~:text=Name%20%3A%20ACL-POSTURE-REDIRECT

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla