Has anyone gotten Flexconnect ACLs to work properly in 8.x? Here's my test setup:
One 3700 AP, in flexconnect mode, Part of an AP group that is only broadcasting one test SSID.
Primary goal of getting this flexconnect AP to drop users on different VLANs based on RADIUS parameters was successful (though I couldn't ever drop anyone on VLAN 1, no matter what the native vlan for the AP was).
In order for the AP to know the VLANs I had to create a Flexconnect Group and create "AAA VLAN ACL MAPPING"s for all the VLANs I wanted the AP to know about. As mentioned, that part worked fine.
Next I created a very simple Flexconnect ACL to block any traffic to 18.104.22.168. I applied it to one of the VLANs on the same tab (Wireless>FlexConnect Groups>ACL Mapping>AAA VLAN-ACL mapping). I tried all sorts of combinations of applying the ACL to ingress or egress, disassociating the client, moving client to a different vlan and back etc. I got it working once, on one of the VLANs, but couldn't repeat it. It might have been after removing the AP from the FlexConnect group and putting it back.
The only result all this had is that I lost web access to the WLC suddenly. As far as I can tell, the WLC ended up rebooting itself and the HA unit took over. A bit scary.
How are Flexconnect ACLs supposed to work, do they get applied the moment you apply them to the ingress /egress of the VLAN? Does the client have to disassociate and re-associate? Does something else have to happen to trigger the ACLs being applied?
From what I could tell in the Flexconnect ACL Debug, all the changes were being pushed to the AP as I made them. However, at one point when checking the VLAN Mappings on the AP, the vlans with ACLs in the Flexconnect group, showed no ACLs on the AP. Another time the VLANs that had the ACLs applied were no longer there at all.
As I'm writing this, I noticed that I can now crash the WLC, just by clicking the VLAN mappings on that AP....
After two failovers that seemed to be triggered by me making changes in the Flexconnect Group config, one controller hung up completely (no response anywhere including console). I had to power cycle it.
After that, the flexconnect ACLs seemed to work just as expected. Changes in the ACLs would immediately reflect on the client connected to the AP without having to re-associate the client (something that definitely wasn't working before).