Security

 

Hi ,

 

I am trying to configure downlaodable ACL on Cisco WLC( 7.4 OS). I have configured enforcemet profile on CPPM to return acess control rules directly to Controller. when user authenticates CPPM is able to apply that perticular enfoecement profile and it sends the ACL details to WLC ( as shown in access tracker ) but on controller the show client command shows that there is no ACL mapped to that user. User gets access irrespective of returted ACL.

The second option I tried is I have created an ACL Test-ACL on  Controller and CPPM returns the attribute under Cisco:Radius Cisco AV pair and url-redirect-acl as "Test-ACL"

Both the options are not working. Vlan Enforcement is working fine for WLC that means the AAA configuration on WLC seems fine.

 

Anybody is having configuration doc for CPPM-Wireless Controller DACL config ?

Can you add a screen shot of your enforcement profile and your DACL that you are pushing?

 

Some versions of Cisco IOS require different formatting of the DACL 

Make sure you are also pushing the VLAN with the DACL

 

Here are a couple sample of my wired 3750 DACL and ACL

 

 

 

 

 Hi Troy,

 

Curently I have no acces to CPPM hence cant share the screenshots but the enforcement profiles are ;

test 1: it returns Cisco-IP-Downloadable-ACL value as " deny ip any any "   < just replaced the example acl permit ip any any>

test 1: returned only url-redirect-acl value as ACL name < no redirect link supplied , no vlan returned>

 

Any additional config required for WLC compared to Switch

 

 

Its been awhile since I did a WLC but I believe you must return a VLAN along with the DACL or ACL.

 

 

The ACL thing worked :smileyhappy:  Its not downloadable acl but there is pre-configured ACL on WLC and CPPM is returning value for attribute : Airspace- Airespace-ACL-Name- <pre-configured-acls-name>

 

And we need to enable Radius:Airspace attributes from Administration > dictionaries> radius

 

- Harshad.

Hi all!

 

I have the same problem, but i'm not able to fix it.

 

i have a SSID in the WLC with mac filtering and radius. the RADIUS is configured with MAB. i want to pass two radius attributes to the client, URL redirec and ACL. once the cliet is redirected to the URL (captive portal) and click in submit i want to send CoA to the WLC in order to change ACL for this user and permit all the traffic.

 

i'm testing with radtest software in order to send CoA to WLC 

 

in the WLC with debug aaa all enable i see the following message:

 

Invalid attributes received in 'RFC-3576 CoA-Request'

 

i've tried with aerospace-acl attribute and Cisco-AvPair

 

i'm using calling-station-id (mac address of the client) and the acl change attribute but always recieve the same message.

 

Please, anybody can help me, it is a very urgent matter!

 

thanks in advance!

Please share the enforcement policy and your config L2/L3 config on your Cisco WLC

thanks for your reply!

 

the firts part of my problem is fixed, RADIUS authenticate the user and pass the URL and ACL. now, i only want to know what attribute i have to send to the WLC in the CoA in order to change the user to another ACL.

 

the user who opened the post, said that he user aerospace acl name, but when i tried, i have the same message, so i guess is a problem of the format of the CoA.

All you need to do is use an enforcement profile with the following:

The Tunnel-Private-Group-Id is the VLAN you will be sending

Hi,thanks Victor

 

i think we are talking about different things.

 

my problem is to find a valid attribute into the CoA in order to change the ACL for a particular user. the user is already associated to the SSID but i want to manually send a Coa to the WLC and change the ACL.

 

don't want to change vlan etc...

 

thanks for your help!

Maybe we need to clarify what is the purpose of using the CoA ?

Is this for Guest Captive Portal using Mac Filtering ?

the scenario is this:

 

client-wlc-RADIUS-captive-portal

 

 

client connect to SSID, WLC sends authentication request to RADIUS, RADIUS authenticate every user because is MAB, and include ACL and URL-REDIRECT parameters in ACCESS-ACEPT. the client is redirect to CAPTIVE PORTAL, once they click on accept terms and conditions, this action makes send a CoA to the WLC in order to change the ACL for the client, for an ACL with permit all.

 

this is because i need dns-based acl in the WLC. is a cisco bug, they only accetp urls in the acl instead of ip address when this ACL is a radius attribute, if you apply the ACL directly, only ip address are supported in the ACL, so if i want to permit login with facebook, i can't open all facebook ranges and akamai, so my only option is to use RADIUS, only to pass this two attributes, ACL and URL, and once the client click on submit or login with facebook, i will write an script to send the CoA to the WLC, and change the ACL in order to permit all the traffic to internet.

Do you have this enabled:

 

yes, i have.

 

problem was WLC only accepts this kind of CoA in port 1700. I don't know why.

 

Anyway, i'm not able to change the client ACL, when i send the CoA, WLC ask once again to the RADIUS for this client (reauthenticate).

 

but maybe it could works for what i want to do.

 

 

if anybody knows if i can change de client ACL sendind a CoA, please let me know.

 

thanks

 

Regards!

If you have another ACL just send that ACL using the Avpair attribute on the radius response