Showing results for 
Search instead for 
Did you mean: 

WLC C9800 AirSpace ACL does not get applied

Hello Community

i've amazing misbehavour with scenario where i need to restrict vast majority of clients of locally switched SSID toward sensitive subnet while allowing specific clients to access this subnet. for this to work i've configured ACL denying IP to this subnet & allowing everything else on the WLC & configured 2 AuthZ policies on ISE: 1st match restriction & apply result with ACL-name ; 2nd match specific clients attributes & doesnt apply any restrictions. The issue i met the ACL never gets applied to 1st case client session...
i was trying Filter-ID attribute, i was trying AirSpaceACL checkbox in AuthZ profile with always the same result - ACL doesnt get applied. 

I have AuthZ method list name configured on the WLC also coded as Method-List AV pair in the the AuthZ profile & all the prerequisites met for the scenario to work but...

I've opened TAC case running since 1w+ already w/o any progress with all verifications from TAC side implemented that's why i decided to ask community if anyone ever met such n issue.

WLC runs 17.3.3, ISE 2.7 patch 6, APs r in flexconnect mode & SSID is locally switched. Any idea pls?

1 Accepted Solution

Accepted Solutions

got resolved with switching to the Common Tasks / Airespace ACL Name check-box enablement instead of cisco-av-pair = AireSpace-ACL-Name=blah-blah.

Effectively, it gets treated on WLC as Filter-ID & shown under Monitoring / Wireless / Clients / <client> / General / Security Information / Server Policies|Resultant Policies

thanks to all 

View solution in original post

10 Replies 10

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Have you opened the TAC case with the ISE team or the wireless team.  You are better off making sure they both have a look.  I haven't tried a dACL using FlexConnect, but wouldn't it be easier to have two vlan's and then use rules to place a device on on or the other vlan?  Any way's, when I do any testing, I always have to play with rules to ensure a rules catches what I need.  Maybe what the controller is sending back isn't being read by ISE.  Thats when you might have to look for a different way to identify these devices.

*** Please rate helpful posts ***

Hi Scott

TAC case is only in wireless team. The same is working on the AIR-OS w/o any problem.

we dont use dACL in this scenario & creation of separate SSID/VLAN is not n option.

Not sure about what WLC tells ISE during AuthZ phase, but debug on WLC shows ISE communicates AVs properly, & at the end WLC just omits any references to what it was doing with ACL & mumbling something about AuthZ Method-List it received.

2022/01/20 09:18:31.000165 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027]  - authc_list: DOT1x_auth_ISE

2022/01/20 09:18:31.000167 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027]  - authz_list: Not present under wlan configuration


2022/01/20 09:19:12.879716 {wncd_x_R0-0}{2}: [auth-mgr] [18316]: (info): [5076.af47.945b:capwap_90000027] User profile is to be applied. Authz mlist is not present, Authc mlist DOT1x_auth_ISE ,session push flag is unset


I wouldn't ever compare AireOS and IOS... things are just not the same and thats from my experience.  From what you stated, that tells me that the rules work for AireOS, so shouldn't be an issue (?) with the 9800's but you never know.  Sorry but I haven't had to apply any acl's for our SSID's, but it would be interesting to find out what the solution is.

*** Please rate helpful posts ***

of course, IOS-XE is not n AIR-OS that's particularly dACL r not recommended on the IOS-XE at all & for AirSpace ACL to work one needs to configure AuthZ method-list AV in the AuthZ-profile on ISE etc etc etc. what i wanted to say that whatever dynamic ACL application approach one chooses in AIR-OS case it will work if properly (meaning considering all prerequisites) configured on the WLC & ISE. it's totally not the case for IOS-XE for wireless...
surely will keep tread updated with Cisco TAC's findings...