Security

Reply
Contributor II
Posts: 38
Registered: ‎07-28-2014

Clearpass 802.1x with Cisco WLC per-user ACLs

Hi all, I have a Cisco 5508 WLC running 7.5.102.0, with an 802.1x WLAN authenticating to Clearpass.

The basic dot1x authentication works no problem, but now I want to apply different access lists on the WLC based on Tips:Role

 

Is there any documentation on how to do this on a WLC?  The references I have found are for Wired dot1x / DACLs, which doesn't apply for this WLC.

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

Can you share your enforcement profiles you are using to send those ACLs ?

Do you have those ACLs configured in your controllers?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

I have a single ACL defined on the controller, but I don't yet have an enforcement profile configured because I don't have any reference of what to configure. I did try a DACL enforcement, but that didn't work.
MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

[ Edited ]

Try this :

Need to replace of course the name of the ACL to mach the ACL you have configured in your controller and ignore the URL attribute

2016-11-02 14_38_51-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎07-03-2013

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

You'll need to use the Aierspace-ACL-Name attribute in your enforcement policy. The screenshot below is an example of an enforcement policy used with a Cisco 5508 which applies an interface group of mercury, and an ACL of Pump_Restricted. Keep in mind that your WLAN will need to have AAA Override enabled.

Screen Shot 2016-11-02 at 10.09.26 PM.png

 

Hope this helps!

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

Hey Pete, I think what you show is exactly what I'm looking for, but I can't seem to find Type: Aierspace-ACL-Name.  What  Enforcement Profile template are you using?  I've tried various templates and it is not in any of them.

Occasional Contributor II
Posts: 15
Registered: ‎07-03-2013

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

RADIUS Based Enforcement.

 

Also, make sure vendor Airespace is enabled under your RADIUS dictionary.  Administration > Dictionaries > RADIUS.

 

 

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: Clearpass 802.1x with Cisco WLC per-user ACLs

Thanks for the help guys.  I managed to get it working by enabling the Airespace vendor in the dictionary and using the Radius:Airespace-Interface-Name and Radius:Airespace-ACL-Name.

 

I also found this Cisco guide very useful:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/71683-dynamicvlan-config.html#WLC

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: