11-17-2015 01:09 AM
I am having issues with some traffic not been able to access a server from a certain SSID, This SSID is bridging locally from the AP
When I do a show datapath session I can see it is allowed, however the flag for destination NAT is shown, why would this be ?
Also what ties the access list to the SSID? Where is this done ?
11-17-2015 01:55 AM
The ACL is tied to the particular role the user/device is assigned.
The role can be assigned either from the AAA Profile the VAP/SSID has assigned or it can be send in a RADIUS responds if you are using a RADIUS server.
From CLI you can verify the role and how the role is getting applied by running the command:
show user ip <IP ADDRESS>
Name: vfabian, IP: 192.168.1.200, MAC: 00:11:22:33:44:55, Age: 00:01:01
Role: FULL-ACCESS-ROLE (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 118/0
Authentication: Yes, status: started, method: 802.1x, protocol: EAP-PEAP, server: CPPM-SERVER-1
Authentication Servers: dot1x authserver: CPPM-SERVER-1, mac authserver:
Role Derivation: ROLE_DERIVATION_DOT1X_VSA
VLAN Derivation: Default VLAN
Once you determine the role you can then do a show rights <ROLE NAME> to see what ACL are getting applied to the user-role
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA