04-13-2012 12:25 PM - edited 07-03-2021 09:59 PM
Does anyone know if dACLs on a WLC controller using the latest code require a pre-configuration of the ACLs on the controller? All documentation seems to indicate the ACLs must be created first on the controller and the policy engine (ISE or ACS) push down the name of the ACL to be used.
04-13-2012 12:28 PM
The wlc doesn't support dACLs but you would use the wlc acl's. Q
Thanks,
Scott Fella
Sent from my iPhone
04-13-2012 12:28 PM
Hey Jim, long time no see!
For the WLC, this is correct. You have to preconfigure the ACL on the WLC, and ISE will send the name.
Steve
04-13-2012 01:57 PM
To piggy back in ...
ISE supports 2 ACLs (downloadable or named). The WLC supports NAMED ACLS. The name should be identical in the ISE policy manger and the WLC.
04-13-2012 01:58 PM
Thanks guys, stephen that helps out, just needed the confirmation since I'm light on the wireless.
04-13-2012 02:02 PM
ISE ACLs are the better way to go versus VLAN change. Most clients will not support CoA and will sit and spin.
04-13-2012 02:41 PM
Vlan changes on the wireless has not caused me any issues. I have used it on ACS and now on ISE. On the wired side it can be an issue as you know.
Thanks,
Scott Fella
Sent from my iPhone
04-13-2012 03:05 PM
If the device is not 100% profiled and later becomes profiled as other probes determine what the device is and the device needs to move to another VLAN a Coa happens. it's then that the supplicant woll sit and spin. Anyconnect client for example will recognize that no traffic is passing after a certain period of time and will reip. Other supplicants for example window zero config don't do that.
04-13-2012 03:10 PM
That's how I have mine setup though, but it's my lab that I do the testing. I have one SSID and then multiple profiles with vlan, session timer and QoS attributes depending on what AD group the user matches. I haven't tested other supplicants beside a windows 7 and XP client.
Thanks,
Scott Fella
Sent from my iPhone
04-13-2012 03:16 PM
George,
I still prefer to match an SSID to an OU and either accept or deny. The named acl and dACL I think is a nice idea, but you have to account for all the users on that given subnet. I think after playing around with ISE an seeing what really works in real life and what is painful will help determine what is the best way I deploy in certain situations.
Thanks,
Scott Fella
Sent from my iPhone
08-24-2012 09:04 AM
Hey Scott, did this ever happend to you or anyone
04-13-2012 03:31 PM
I'm curious, can you be more specific when you say you match a ssid to a ou.
I agree each deployment wil have a unique deployment requirements.
Sent from Cisco Technical Support iPhone App
04-13-2012 03:46 PM
I create a policy that say is the user using "employee" SSID and is part of the "wireless employee" OU... And some others (device group, device location, EAP type, etc). So if a domain user tries to access the "employee" SSID using his or her domain credential and is not part of the "wireless employee" OU, ACS or ISE will send a reject to the WLC. That username is also accounted for in the failed attempts.
Thanks,
Scott Fella
Sent from my iPhone
05-30-2012 03:57 AM
Maybe not a totally relevant question to this post but does an autonomous ap (AP-1142N) support dACL from ACS? I'm not using any WLC.
/Putte
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide