Security

Reply
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Downloadable ACL with Cisco WLC

 

Hi ,

 

I am trying to configure downlaodable ACL on Cisco WLC( 7.4 OS). I have configured enforcemet profile on CPPM to return acess control rules directly to Controller. when user authenticates CPPM is able to apply that perticular enfoecement profile and it sends the ACL details to WLC ( as shown in access tracker ) but on controller the show client command shows that there is no ACL mapped to that user. User gets access irrespective of returted ACL.

The second option I tried is I have created an ACL Test-ACL on  Controller and CPPM returns the attribute under Cisco:Radius Cisco AV pair and url-redirect-acl as "Test-ACL"

Both the options are not working. Vlan Enforcement is working fine for WLC that means the AAA configuration on WLC seems fine.

 

Anybody is having configuration doc for CPPM-Wireless Controller DACL config ?

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Downloadable ACL with Cisco WLC

Can you add a screen shot of your enforcement profile and your DACL that you are pushing?

 

Some versions of Cisco IOS require different formatting of the DACL 

Make sure you are also pushing the VLAN with the DACL

 

Here are a couple sample of my wired 3750 DACL and ACL

 

screenshot_02 Mar. 01 00.57.gif

 

screenshot_03 Mar. 01 00.58.gif

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Downloadable ACL with Cisco WLC

 Hi Troy,

 

Curently I have no acces to CPPM hence cant share the screenshots but the enforcement profiles are ;

test 1: it returns Cisco-IP-Downloadable-ACL value as " deny ip any any "   < just replaced the example acl permit ip any any>

test 1: returned only url-redirect-acl value as ACL name < no redirect link supplied , no vlan returned>

 

Any additional config required for WLC compared to Switch

 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Downloadable ACL with Cisco WLC

Its been awhile since I did a WLC but I believe you must return a VLAN along with the DACL or ACL.

 

screenshot_01 Mar. 01 01.10.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Downloadable ACL with Cisco WLC

 

The ACL thing worked :smileyhappy:  Its not downloadable acl but there is pre-configured ACL on WLC and CPPM is returning value for attribute : Airspace- Airespace-ACL-Name- <pre-configured-acls-name>

 

And we need to enable Radius:Airspace attributes from Administration > dictionaries> radius

 

- Harshad.

Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Downloadable ACL with Cisco WLC


Hi all!

 

I have the same problem, but i'm not able to fix it.

 

i have a SSID in the WLC with mac filtering and radius. the RADIUS is configured with MAB. i want to pass two radius attributes to the client, URL redirec and ACL. once the cliet is redirected to the URL (captive portal) and click in submit i want to send CoA to the WLC in order to change ACL for this user and permit all the traffic.

 

i'm testing with radtest software in order to send CoA to WLC 

 

in the WLC with debug aaa all enable i see the following message:

 

Invalid attributes received in 'RFC-3576 CoA-Request'

 

i've tried with aerospace-acl attribute and Cisco-AvPair

 

i'm using calling-station-id (mac address of the client) and the acl change attribute but always recieve the same message.

 

Please, anybody can help me, it is a very urgent matter!

 

thanks in advance!

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Downloadable ACL with Cisco WLC

Please share the enforcement policy and your config L2/L3 config on your Cisco WLC

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Downloadable ACL with Cisco WLC

thanks for your reply!

 

the firts part of my problem is fixed, RADIUS authenticate the user and pass the URL and ACL. now, i only want to know what attribute i have to send to the WLC in the CoA in order to change the user to another ACL.

 

the user who opened the post, said that he user aerospace acl name, but when i tried, i have the same message, so i guess is a problem of the format of the CoA.

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Downloadable ACL with Cisco WLC

All you need to do is use an enforcement profile with the following:

The Tunnel-Private-Group-Id is the VLAN you will be sending

2014-11-12 09_58_31-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Downloadable ACL with Cisco WLC

Hi,thanks Victor

 

i think we are talking about different things.

 

my problem is to find a valid attribute into the CoA in order to change the ACL for a particular user. the user is already associated to the SSID but i want to manually send a Coa to the WLC and change the ACL.

 

don't want to change vlan etc...

 

thanks for your help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: