Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WLC and dACLs

Does anyone know if dACLs on a WLC controller using the latest code require a pre-configuration of the ACLs on the controller? All documentation seems to indicate the ACLs must be created first on the controller and the policy engine (ISE or ACS) push down the name of the ACL to be used.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
13 REPLIES
Hall of Fame Super Silver

Re: WLC and dACLs

The wlc doesn't support dACLs but you would use the wlc acl's. Q

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Re: WLC and dACLs

Hey Jim, long time no see!

For the WLC, this is correct.  You have to preconfigure the ACL on the WLC, and ISE will send the name.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: WLC and dACLs

To piggy back in ...

ISE supports 2 ACLs (downloadable or named). The WLC supports NAMED ACLS. The name should be identical in the ISE policy manger and the WLC.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Community Member

WLC and dACLs

Thanks guys, stephen that helps out, just needed the confirmation since I'm light on the wireless.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

WLC and dACLs

ISE ACLs are the better way to go versus VLAN change. Most clients will not support CoA and will sit and spin.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Hall of Fame Super Silver

Re: WLC and dACLs

Vlan changes on the wireless has not caused me any issues. I have used it on ACS and now on ISE. On the wired side it can be an issue as you know.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Re: WLC and dACLs

If the device is not 100% profiled and later becomes profiled as other probes determine what the device is and the device needs to move to another VLAN a Coa happens. it's then that the supplicant woll sit and spin. Anyconnect client for example will recognize that no traffic is passing after a certain period of time and will reip. Other supplicants for example window zero config don't do that.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Hall of Fame Super Silver

Re: WLC and dACLs

That's how I have mine setup though, but it's my lab that I do the testing. I have one SSID and then multiple profiles with vlan, session timer and QoS attributes depending on what AD group the user matches. I haven't tested other supplicants beside a windows 7 and XP client.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC and dACLs

George,

I still prefer to match an SSID to an OU and either accept or deny. The named acl and dACL I think is a nice idea, but you have to account for all the users on that given subnet. I think after playing around with ISE an seeing what really works in real life and what is painful will help determine what is the best way I deploy in certain situations.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Re: WLC and dACLs

Hey Scott, did this ever happend to you or anyone

https://supportforums.cisco.com/message/3716531#3716531

Re: WLC and dACLs

I'm curious, can you be more specific when you say you match a ssid to a ou.

I agree each deployment wil have a unique deployment requirements.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Hall of Fame Super Silver

Re: WLC and dACLs

I create a policy that say is the user using "employee" SSID and is part of the "wireless employee" OU... And some others (device group, device location, EAP type, etc). So if a domain user tries to access the "employee" SSID using his or her domain credential and is not part of the "wireless employee" OU, ACS or ISE will send a reject to the WLC. That username is also accounted for in the failed attempts.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Re: WLC and dACLs

Maybe not a totally relevant question to this post but does an autonomous ap (AP-1142N) support dACL from ACS? I'm not using any WLC.

/Putte

3473
Views
0
Helpful
13
Replies
CreatePlease to create content