Security

Hey,

I'm trying to get dACLs working on my wireless controller. We are running 17.12 on the controller and 6.11.1 on Clearpass. So there is support on the WLC for dACLs and we're in a local centralized mode for the APs. I'm trying a very simple permit ip any any in a dACL. On the WLC, I am ending up with an ACL failure. In the trace logs, this seemed to be the most relevant line

2024/09/23 11:48:56.237777662 {wncd_x_R0-3}{2}: [errmsg] [20775]: (note): %SESSION_MGR-5-FAIL: R0/3: wncd: Authorization failed or unapplied for client (fa44.d8c8.7fe3) on Interface capwap_90c0008b AuditSessionID 14017C0A0000F20E1F925165. Failure Reason: ACL Failure. Failed attribute name xACSACLx-IP-dACL_Allow_All-3036-4.

In the clearpass debug logs, it seems that it's sending the proper CiscoSecure-Defined-ACL AVPair, but then I get an error at the end

So to me it doesn't like something about the ACL or perhaps there's an insight issue?. I tried sending a VLAN enforcement profile along with it thinking maybe it needs some additional session context information to fill out the user role on the WLC.

Has anyone done this? Any suggestions?.

Thanks.

Hey,

I'm trying to get dACLs working on my wireless controller. We are running 17.12 on the controller and 6.11.1 on Clearpass. So there is support on the WLC for dACLs and we're in a local centralized mode for the APs. I'm trying a very simple permit ip any any in a dACL. On the WLC, I am ending up with an ACL failure. In the trace logs, this seemed to be the most relevant line

2024/09/23 11:48:56.237777662 {wncd_x_R0-3}{2}: [errmsg] [20775]: (note): %SESSION_MGR-5-FAIL: R0/3: wncd: Authorization failed or unapplied for client (fa44.d8c8.7fe3) on Interface capwap_90c0008b AuditSessionID 14017C0A0000F20E1F925165. Failure Reason: ACL Failure. Failed attribute name xACSACLx-IP-dACL_Allow_All-3036-4.

In the clearpass debug logs, it seems that it's sending the proper CiscoSecure-Defined-ACL AVPair, but then I get an error at the end

So to me it doesn't like something about the ACL or perhaps there's an insight issue?. I tried sending a VLAN enforcement profile along with it thinking maybe it needs some additional session context information to fill out the user role on the WLC.

Has anyone done this? Any suggestions?.

Thanks.

Can you post your exact ACL syntax here?  

Hey,

I'm trying to get dACLs working on my wireless controller. We are running 17.12 on the controller and 6.11.1 on Clearpass. So there is support on the WLC for dACLs and we're in a local centralized mode for the APs. I'm trying a very simple permit ip any any in a dACL. On the WLC, I am ending up with an ACL failure. In the trace logs, this seemed to be the most relevant line

2024/09/23 11:48:56.237777662 {wncd_x_R0-3}{2}: [errmsg] [20775]: (note): %SESSION_MGR-5-FAIL: R0/3: wncd: Authorization failed or unapplied for client (fa44.d8c8.7fe3) on Interface capwap_90c0008b AuditSessionID 14017C0A0000F20E1F925165. Failure Reason: ACL Failure. Failed attribute name xACSACLx-IP-dACL_Allow_All-3036-4.

In the clearpass debug logs, it seems that it's sending the proper CiscoSecure-Defined-ACL AVPair, but then I get an error at the end

So to me it doesn't like something about the ACL or perhaps there's an insight issue?. I tried sending a VLAN enforcement profile along with it thinking maybe it needs some additional session context information to fill out the user role on the WLC.

Has anyone done this? Any suggestions?.

Thanks.