Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

7.6 WLC and per user ACL for flexconnect

Hi All,

Im in the process of configuring our new 5508 WLC running version 7.6 code with 3700 APs.

We run ISE, and have setup our IT Admins to run on a separate VLAN on the wired from general users which works good. This allows us to control who can access the Management VLANs in each office.

Now comes to WLANs and I'd like to do the same. 7.6 should support a per user ACL on flexconnect APs as per the below document but there isnt one configuration guide for this because I suspect it was only release in the last few months.

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9

If I create a SSID, "COMPANY-CORPORATE" for local switching, centrally authenticated to ISE with a WLAN VLAN mapping to vlan 10, how do I get users onto say vlan 20 (Our IT Admins) connecting to the same SSID? Ive configured it on ISE, but how does it get configured on the WLC?

On the WLC, I have already a WLAN to VLAN mapping, but I cant assign multiple VLANs to a SSID. I suspect that I need to assign our IT Admin VLAN (Vlan 20) somewhere on the WLC, but cant be sure without any configuration guides.

1 ACCEPTED SOLUTION

Accepted Solutions

From your description it

From your description it looks like you're trying to push a VLAN override, not just an ACL.  Either way, yes per-user ACL "is" supported, per the documentation, as of 7.5

If the goal is to simply map a locally switched user dynamically to a new VLAN, you will want to make sure the VLANs are added to the member APs of the FlexConnect Group.

Navigate to the FlexConnect group in question.

 

ACL Mapping > AAA VLAN-ACL Mapping

Specify the VLAN ID of the additional VLANs you want to use on the AP, and be sure to specify ACL as "NONE" (if you're just wanting the VLAN added)

Click Add

This will create the VLANs "on" the AP such that a client that would normally be WLAN/VLAN mapped to be on VLAN 10, can receive a AAA override from ISE for VLAN 20 and assign them to this VLAN.

 

Please be sure you have AAA Override enabled on the WLAN, but aside from that it should work.

 

"IF" you're looking to do per-user "ACL", it's my understanding you will utilize the "Web Policies" section of the FlexConnect group to specify all your defined dynamic FlexACLs.  I haven't tested this yet, but supposedly when an ACL override comes back for a per-use assignment, it will utilize the ACL if it is present in Web Policies.  Please be sure that the "Flex" ACL is created, and a corresponding standard ACL "exists" with this name, otherwise the WLC will throw an error that the ACL cannot be found.

 

This Web Policies section was previously dedicated to ACL's applied as part of the ISE Central Web Auth (L3 policy states) and would apply "per-user", but would not work when applying as the final resultant policy for the user.  You were stuck with whatever ACL you had defined in the AAA VLAN-ACL Mapping.  If you wanted to pass different ACLs while the Client Policy state was in a Central_WebAuth_Reqd, Posture_Reqd, or Posture_Remediation states, this is where this is done and it worked perfectly.  Apparently this will now work for the final resultant policies as Jake has discussed.

 

6 REPLIES

It is my understanding that

It is my understanding that you cannot do per-user ACL override with Flexconnect Local Switching.  However you can map an ACL to a VLAN and then use the AAA Override to change the VLAN to the one with the appropriate ACL applied.  Just be aware that you only have a maximum of 16 VLANs per AP, so it's not the most scalable solution

BYOD For Flexconnect:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc8

So I am apparently wrong.

So I am apparently wrong.  You can do Per-User ACL via a AAA override.  Per the 7.5 release notes:

In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.

 

 

From your description it

From your description it looks like you're trying to push a VLAN override, not just an ACL.  Either way, yes per-user ACL "is" supported, per the documentation, as of 7.5

If the goal is to simply map a locally switched user dynamically to a new VLAN, you will want to make sure the VLANs are added to the member APs of the FlexConnect Group.

Navigate to the FlexConnect group in question.

 

ACL Mapping > AAA VLAN-ACL Mapping

Specify the VLAN ID of the additional VLANs you want to use on the AP, and be sure to specify ACL as "NONE" (if you're just wanting the VLAN added)

Click Add

This will create the VLANs "on" the AP such that a client that would normally be WLAN/VLAN mapped to be on VLAN 10, can receive a AAA override from ISE for VLAN 20 and assign them to this VLAN.

 

Please be sure you have AAA Override enabled on the WLAN, but aside from that it should work.

 

"IF" you're looking to do per-user "ACL", it's my understanding you will utilize the "Web Policies" section of the FlexConnect group to specify all your defined dynamic FlexACLs.  I haven't tested this yet, but supposedly when an ACL override comes back for a per-use assignment, it will utilize the ACL if it is present in Web Policies.  Please be sure that the "Flex" ACL is created, and a corresponding standard ACL "exists" with this name, otherwise the WLC will throw an error that the ACL cannot be found.

 

This Web Policies section was previously dedicated to ACL's applied as part of the ISE Central Web Auth (L3 policy states) and would apply "per-user", but would not work when applying as the final resultant policy for the user.  You were stuck with whatever ACL you had defined in the AAA VLAN-ACL Mapping.  If you wanted to pass different ACLs while the Client Policy state was in a Central_WebAuth_Reqd, Posture_Reqd, or Posture_Remediation states, this is where this is done and it worked perfectly.  Apparently this will now work for the final resultant policies as Jake has discussed.

 

I was trying to find this

I was trying to find this earlier as I remembered reading it.  This seems to be a caveat to this new "feature".  I can't seem to access the 7.6 config guide, but this is from 7.5, where per-user flex ACLs were added for local switching.

"With profiling enabled for local switching FlexConnect mode APs, only VLAN override is supported as an AAA override attribute. "

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_01100000.html#concept_ADC90233195C4861B7BEC25485D29DD7

Community Member

Yes, absolutely - my plan is

Yes, absolutely - my plan is for both a ACL and also a VLAN change based on a per user. Its only the Admins I want to change the VLAN for, but every department will undergo a ACL change.

I had the ACL override working last week and am currently rebuilding the APs etc as there were quite a few changes made in my testing. As you say, the ACLs must be setup as FlexConnect ACLs, and these must be imported in the Web Policies. I used the Airspace ACL, although I think it may work with the standard dACL in ISE.

I havent yet investigated the per VLAN override.. hopefully get this tested next week.

You will need to continue

You will need to continue using the Airespace ACLs as the Airespace based WLC models do not support dACLs in the traditional sense.  This "may" come in future releases (8.0?), but is currently only supported in Converged Access wireless environment, where-by you are operating on an IOS based device.

2571
Views
0
Helpful
6
Replies
CreatePlease to create content