cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
45
Helpful
10
Replies

WLC C9800 AirSpace ACL does not get applied

Hello Community

i've amazing misbehavour with scenario where i need to restrict vast majority of clients of locally switched SSID toward sensitive subnet while allowing specific clients to access this subnet. for this to work i've configured ACL denying IP to this subnet & allowing everything else on the WLC & configured 2 AuthZ policies on ISE: 1st match restriction & apply result with ACL-name ; 2nd match specific clients attributes & doesnt apply any restrictions. The issue i met the ACL never gets applied to 1st case client session...
i was trying Filter-ID attribute, i was trying AirSpaceACL checkbox in AuthZ profile with always the same result - ACL doesnt get applied. 

I have AuthZ method list name configured on the WLC also coded as Method-List AV pair in the the AuthZ profile & all the prerequisites met for the scenario to work but...

I've opened TAC case running since 1w+ already w/o any progress with all verifications from TAC side implemented that's why i decided to ask community if anyone ever met such n issue.

WLC runs 17.3.3, ISE 2.7 patch 6, APs r in flexconnect mode & SSID is locally switched. Any idea pls?

1 Accepted Solution

Accepted Solutions

got resolved with switching to the Common Tasks / Airespace ACL Name check-box enablement instead of cisco-av-pair = AireSpace-ACL-Name=blah-blah.

Effectively, it gets treated on WLC as Filter-ID & shown under Monitoring / Wireless / Clients / <client> / General / Security Information / Server Policies|Resultant Policies

thanks to all 

View solution in original post

10 Replies 10

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Have you opened the TAC case with the ISE team or the wireless team.  You are better off making sure they both have a look.  I haven't tried a dACL using FlexConnect, but wouldn't it be easier to have two vlan's and then use rules to place a device on on or the other vlan?  Any way's, when I do any testing, I always have to play with rules to ensure a rules catches what I need.  Maybe what the controller is sending back isn't being read by ISE.  Thats when you might have to look for a different way to identify these devices.

-Scott
*** Please rate helpful posts ***

Hi Scott

TAC case is only in wireless team. The same is working on the AIR-OS w/o any problem.

we dont use dACL in this scenario & creation of separate SSID/VLAN is not n option.

Not sure about what WLC tells ISE during AuthZ phase, but debug on WLC shows ISE communicates AVs properly, & at the end WLC just omits any references to what it was doing with ACL & mumbling something about AuthZ Method-List it received.

2022/01/20 09:18:31.000165 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027]  - authc_list: DOT1x_auth_ISE

2022/01/20 09:18:31.000167 {wncd_x_R0-0}{2}: [auth-mgr-feat_wireless] [18316]: (info): [5076.af47.945b:capwap_90000027]  - authz_list: Not present under wlan configuration

 

2022/01/20 09:19:12.879716 {wncd_x_R0-0}{2}: [auth-mgr] [18316]: (info): [5076.af47.945b:capwap_90000027] User profile is to be applied. Authz mlist is not present, Authc mlist DOT1x_auth_ISE ,session push flag is unset

 

I wouldn't ever compare AireOS and IOS... things are just not the same and thats from my experience.  From what you stated, that tells me that the rules work for AireOS, so shouldn't be an issue (?) with the 9800's but you never know.  Sorry but I haven't had to apply any acl's for our SSID's, but it would be interesting to find out what the solution is.

-Scott
*** Please rate helpful posts ***

of course, IOS-XE is not n AIR-OS that's particularly dACL r not recommended on the IOS-XE at all & for AirSpace ACL to work one needs to configure AuthZ method-list AV in the AuthZ-profile on ISE etc etc etc. what i wanted to say that whatever dynamic ACL application approach one chooses in AIR-OS case it will work if properly (meaning considering all prerequisites) configured on the WLC & ISE. it's totally not the case for IOS-XE for wireless...
surely will keep tread updated with Cisco TAC's findings... 

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate

Can you post your Flex profile? Did you push the ACL to the AP?

Screenshot 2022-01-26 211747.png

 I would also like to know whether you have enabled central authentication under Policy profile or local authentication directly from AP? (NAD's are WLC or AP's in WLC?) 

Also note only exteneded ACL's are supported by Flex AP's. Also you can do a RA trace for a client while connecting to this SSID to see whether the Radius server is sending required parameters. 

______________
Arshad Safrulla

Hi Arshad

pls find screens attached. from my perspective everything looks like it has to be, can u confirm?

Also, yes, we use extended ACLs (standard only works with SRC).

& yes we did RA-trace with TAC. WLC receives needed attributes:

,,,
2022/01/20 09:19:12.878948 {wncd_x_R0-0}{2}: [radius] [18316]: (info): RADIUS: Cisco AVpair [1] 34 "Method-List=DOT1x_author_ISE"
2022/01/20 09:19:12.878957 {wncd_x_R0-0}{2}: [radius] [18316]: (info): RADIUS: Cisco AVpair [1] 40 "AireSpace-ACL-Name=acl-No-Office-2-LAB"

...

But there is no ACL in Applied attributes.

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate

Did you check on the AP whether the ACL is there? Login to the AP via CLI and "show ip access-list" verify the ACL you pushed is there in the AP?

Also make sure that you save the tags on the AP.

______________
Arshad Safrulla

yes, ACLs r on APs. how can i check tags on AP?

 

UPD. tags r also there (thanks to @rrudling hint)

br andy

 

rrudling
VIP Advocate VIP Advocate
VIP Advocate

“ap name <APname> write tag-config” saves the tags.

From 17.6.1 tag persistency is introduced: 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_ap_tag_persistency.html That also includes info about show ap tag summary.

Have you tried testing on a newer release like 17.6? There were a number of radius feature enhancements (to improve feature parity with AireOS) that went in between 17.3 and 17.6 which is why we're using 17.6 - our design simply didn't work on 17.3 as some commands appear in the config but are not implemented at all in the code.

got resolved with switching to the Common Tasks / Airespace ACL Name check-box enablement instead of cisco-av-pair = AireSpace-ACL-Name=blah-blah.

Effectively, it gets treated on WLC as Filter-ID & shown under Monitoring / Wireless / Clients / <client> / General / Security Information / Server Policies|Resultant Policies

thanks to all 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers