Security

Hi all, I have a Cisco 5508 WLC running 7.5.102.0, with an 802.1x WLAN authenticating to Clearpass.

The basic dot1x authentication works no problem, but now I want to apply different access lists on the WLC based on Tips:Role

 

Is there any documentation on how to do this on a WLC?  The references I have found are for Wired dot1x / DACLs, which doesn't apply for this WLC.

Can you share your enforcement profiles you are using to send those ACLs ?

Do you have those ACLs configured in your controllers?

I have a single ACL defined on the controller, but I don't yet have an enforcement profile configured because I don't have any reference of what to configure. I did try a DACL enforcement, but that didn't work.

Try this :

Need to replace of course the name of the ACL to mach the ACL you have configured in your controller and ignore the URL attribute

You'll need to use the Aierspace-ACL-Name attribute in your enforcement policy. The screenshot below is an example of an enforcement policy used with a Cisco 5508 which applies an interface group of mercury, and an ACL of Pump_Restricted. Keep in mind that your WLAN will need to have AAA Override enabled.

 

Hope this helps!

Hey Pete, I think what you show is exactly what I'm looking for, but I can't seem to find Type: Aierspace-ACL-Name.  What  Enforcement Profile template are you using?  I've tried various templates and it is not in any of them.

RADIUS Based Enforcement.

 

Also, make sure vendor Airespace is enabled under your RADIUS dictionary.  Administration > Dictionaries > RADIUS.

 

 

Thanks for the help guys.  I managed to get it working by enabling the Airespace vendor in the dictionary and using the Radius:Airespace-Interface-Name and Radius:Airespace-ACL-Name.

 

I also found this Cisco guide very useful:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html#WLC