Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE 1.2: Airspace ACL vs DACL

Can someone please shed some light here:

I have a 5508 WLC & ISE 1.2.   I configured Guest Access through the use of a Sponsor Portal, and got it working.

I now want to restrict my Guest users to access the internet only and not the rest of my network.

Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.

I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.

Any advice please.

  • Other Wireless - Mobility Subjects
9 REPLIES

ISE 1.2: Airspace ACL vs DACL

Hi ,

Do you want to set this up only via ISE/WLC ?

You can rather create an IP ACL on the Neighbouring L3 gear to block internal resources.

And it is always recomended this way.

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
New Member

ISE 1.2: Airspace ACL vs DACL

Hi Victor.

I have tried that as well, but then my authentication & redirection stops working.

Any idea what the ACL on the L3 Switch should look like. 

Jaco

ISE 1.2: Airspace ACL vs DACL

Since ISE is the only device involved for auth and redirection, at a basic level the ACLs should look like,

Source      Dest                          ACTION

ANY                          PERMIT

ANY           DENY

ANY      ANY                            PERMIT

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****
New Member

ISE 1.2: Airspace ACL vs DACL

Hi Victor.

This is my acl:  (with 172.20.30.8  = ISE, 172.20.7.245 = Firewall & 172.20.30.250 = WLC )

ip access-list extended Guest-Wifi

permit ip any host 172.20.7.245

permit ip any host 172.20.30.250

permit ip any host 172.20.30.8

deny   ip any any

The moment I apply the ACL to my VLAN int - redirection stop working and authentication is bypassed.

any Ideas why this will happen ?

New Member

ISE 1.2: Airspace ACL vs DACL

I got it working using an Airspace ACL - Using exactly the same config as in the DACL (which was not working)

ISE 1.2: Airspace ACL vs DACL

Excellent !!

Please paste the config that worked .. so that it will be helpfull for others ( if they run into a similar requirement).

Thanks

Regards
Victor V

*****Help out other by using the rating system and marking answered questions as *****Answered"*****

Regards Victor V *****Help out other by using the rating system and marking answered questions as *****Answered"*****

Re: ISE 1.2: Airspace ACL vs DACL

In ISE, dACLs are only applicable to switches.  They are ineffective with wireless connections.

An Airespace ACL is the way to go and it looks like you got it working.

The ACL should be:

permit Inbound for any to the ISE IPs and permit outbound from ISE to any.

deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)

permit any to any  in any direction

GuestAccess.png    

Silver

Re: ISE 1.2: Airspace ACL vs DACL

For reference check cisco HowTo guide for ISE deployment they are very helpful and cover all the aspect of ISE.

Re: ISE 1.2: Airspace ACL vs DACL

+5 JJ ..

Only "named" ACLs work with the WLC.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
648
Views
5
Helpful
9
Replies
This widget could not be displayed.