Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7192
Views
0
Helpful
13
Replies

WLC and dACLs

Jim Thomas
Level 4
Level 4

‎04-13-2012 12:25 PM - edited ‎07-03-2021 09:59 PM

Does anyone know if dACLs on a WLC controller using the latest code require a pre-configuration of the ACLs on the controller? All documentation seems to indicate the ACLs must be created first on the controller and the policy engine (ISE or ACS) push down the name of the ACL to be used.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
Labels:
0 Helpful
13 Replies 13

Scott Fella
Hall of Fame
Hall of Fame

‎04-13-2012 12:28 PM

The wlc doesn't support dACLs but you would use the wlc acl's. Q

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎04-13-2012 12:28 PM

Hey Jim, long time no see!

For the WLC, this is correct.  You have to preconfigure the ACL on the WLC, and ISE will send the name.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎04-13-2012 01:57 PM

To piggy back in ...

ISE supports 2 ACLs (downloadable or named). The WLC supports NAMED ACLS. The name should be identical in the ISE policy manger and the WLC.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Jim Thomas
Level 4
Level 4
In response to Stephen Rodriguez

‎04-13-2012 01:58 PM

Thanks guys, stephen that helps out, just needed the confirmation since I'm light on the wireless.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Jim Thomas

‎04-13-2012 02:02 PM

ISE ACLs are the better way to go versus VLAN change. Most clients will not support CoA and will sit and spin.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to George Stefanick

‎04-13-2012 02:41 PM

Vlan changes on the wireless has not caused me any issues. I have used it on ACS and now on ISE. On the wired side it can be an issue as you know.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

‎04-13-2012 03:05 PM

If the device is not 100% profiled and later becomes profiled as other probes determine what the device is and the device needs to move to another VLAN a Coa happens. it's then that the supplicant woll sit and spin. Anyconnect client for example will recognize that no traffic is passing after a certain period of time and will reip. Other supplicants for example window zero config don't do that.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to George Stefanick

‎04-13-2012 03:10 PM

That's how I have mine setup though, but it's my lab that I do the testing. I have one SSID and then multiple profiles with vlan, session timer and QoS attributes depending on what AD group the user matches. I haven't tested other supplicants beside a windows 7 and XP client.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to George Stefanick

‎04-13-2012 03:16 PM

George,

I still prefer to match an SSID to an OU and either accept or deny. The named acl and dACL I think is a nice idea, but you have to account for all the users on that given subnet. I think after playing around with ISE an seeing what really works in real life and what is painful will help determine what is the best way I deploy in certain situations.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

edondurguti
Level 4
Level 4
In response to Scott Fella

‎08-24-2012 09:04 AM

Hey Scott, did this ever happend to you or anyone

https://supportforums.cisco.com/message/3716531#3716531

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni

‎04-13-2012 03:31 PM

I'm curious, can you be more specific when you say you match a ssid to a ou.

I agree each deployment wil have a unique deployment requirements.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to George Stefanick

‎04-13-2012 03:46 PM

I create a policy that say is the user using "employee" SSID and is part of the "wireless employee" OU... And some others (device group, device location, EAP type, etc). So if a domain user tries to access the "employee" SSID using his or her domain credential and is not part of the "wireless employee" OU, ACS or ISE will send a reject to the WLC. That username is also accounted for in the failed attempts.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

snyggsomfan
Level 1
Level 1

‎05-30-2012 03:57 AM

Maybe not a totally relevant question to this post but does an autonomous ap (AP-1142N) support dACL from ACS? I'm not using any WLC.

/Putte

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card