WLC time based ACL

momo33 · ‎07-26-2018

Hello,

I'm using 8.5.131 and I can't figure out how to block clients from joining a WLAN for specific time and day.

I created an ACL that denies everything inbound and outbound. Then I create a local policy and just set the ACl, the time and days and the vlan id. I applied the policy to policy-mapping to the WLAN and saved configuration.

Any clients can still access it at any time.

What am I missing?

Thank you

momo33 · ‎07-26-2018

One thing is the logs show:
*Dot1x_NW_MsgTask_4: Jul 26 12:02:52.249: %HREAP-7-ACL_ENTRY_DONOT_EXIST: hreap.c:9409 Unable to find an ACL by name "xxxxxx".
The ACL is there and the name matches.

Leo Laohoo · ‎07-26-2018

The time-based ACL should be applied to the VLAN which also happens to be the default gateway to the dynamic interface.

momo33 · ‎07-27-2018

Hi Leo,

Thank you for your quick response. I'm not sure I understand what you mean by "ACL should be applied to the VLAN", I got the vlan id set in the local policy matching the VLAN set for the AP and controller.

Leo Laohoo · ‎07-27-2018

Ok, so you're trying to stop people from joining an SSID on certain times of day.
So let's say that the SSID is mapped to Dynamic Interface called "WORK". This Dynamic Interface has a subnet of 1.1.1.0/20 and is being "hosted" by a core switch somewhere.
Put the time-based ACL on this core switch and apply the ACL to the VLAN that is hosting the 1.1.1.0/20 subnet.
Another thing, please post the ACL.

momo33 · ‎07-30-2018

Hi Leo,

Sorry for the delay, I had no access to the device over the weekend.

The ACL is literally, deny all IPs/all protocols, inbound&outbound.

Would it be possible to do it without a core switch? let say all I have is the WLC and the AP.

It seems I can block the client that connect to the AP from accessing anything any IP/website. But they can still connect to the SSID. If I apply the ACL to the dynamic interface then it rejects it but that won't be time based.

Leo Laohoo · ‎07-30-2018

@momo33 wrote:

Would it be possible to do it without a core switch? let say all I have is the WLC and the AP.

Sure. The ACL can be applied to a router.

momo33 · ‎07-30-2018

what I meant was: can it be done on the WLC alone? It seems to have everything it needs but it's not performing as configured. Why would I need to apply the ACL anywhere else if I can apply it to a policy and then apply that policy to the SSID?

Like I said I can block the client from accessing any website but not from connecting to the SSID.

I'm confused on why there would be all those settings but they are useless without a core switch.

Leo Laohoo · ‎07-30-2018

It is best to block from the router which is "hosting" the default gateway.