Wireless Access

Reply
Occasional Contributor I

How is an Access list tied to a SSID

Hi All

I am having issues with some traffic not been able to access a server from a certain SSID, This SSID is bridging locally from the AP

When I do a show datapath session I can see it is allowed, however the flag for destination NAT is shown, why would this be ?

 

Also what ties the access list to the SSID? Where is this done ?

cheers

 

Re: How is an Access list tied to a SSID

 

 

The ACL is tied to the particular role the user/device is assigned.

The role can be assigned either from the AAA Profile the VAP/SSID has assigned or it can be send in a RADIUS responds if you are using a RADIUS server.

 

From CLI you can verify the role and how the role is getting applied  by running the command:
show user ip <IP ADDRESS>

Name: vfabian, IP: 192.168.1.200, MAC: 00:11:22:33:44:55, Age: 00:01:01

Role: FULL-ACCESS-ROLE (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 118/0

Authentication: Yes, status: started, method: 802.1x, protocol: EAP-PEAP, server: CPPM-SERVER-1

Authentication Servers: dot1x authserver: CPPM-SERVER-1, mac authserver:

 

Role Derivation: ROLE_DERIVATION_DOT1X_VSA

VLAN Derivation: Default VLAN

 

Once you determine the role you can then do a show rights <ROLE NAME> to see what ACL are getting applied to the user-role

 

 

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: