Cisco Bring Your Own Device (BYOD) CVD
Airespace ACLs in WLC 7.5+
Downloads: This chapterpdf (PDF - 1.23MB) The complete bookPDF (PDF - 68.31MB) | Feedback

Table of Contents

Airespace ACLs in WLC 7.5+

Wireless CWA Authorization Profiles for Dual SSID Provisioning

Wireless NSP Authorization Profile for Single SSID Provisioning

Authorization Policies

Airespace ACLs in WLC 7.5+

Revised: July 11, 2014

What’s New: This is a new appendix that describes a new behavior found in version 7.5+ of the Wireless LAN Controllers and provides alternate ways to enforce ACLs in different deployments.

The ACL behavior in version 7.5+ of the Wireless LAN Controller has changed. The presence of an Airespace ACL Name in the authorization profile affects the webauth redirect functionality for access points operating in FlexConnect mode.

Previous to WLC version 7.5+, a single rule was used to on-board devices connecting from multiple locations, such as Campus, FlexConnect, or Converged Access. For example, Figure E-1 shows the original Wireless CWA authorization profile used in dual SSID configurations to redirect devices to the Self-Registration portal.

Figure E-1 Wireless CWA Authorization Profile

 

For FlexConnect deployments, the ACL_Provisioning Airespace ACL must be removed from the configuration. This implies that there needs to be two independent authorization profiles for provisioning: one for FlexConnect and CUWN wireless controllers and another one for Converged Access wireless controllers.


NoteThe change in behavior between 7.4 and 7.5 for the Airespace ACL on FlexConnect Aps is documented in CSCuc72705 - NineHills feature, FlexConnnect Client ACL support from AAA. The change in behavior between 7.4 and 7.5 for the Airespace ACL on FlexConnect Aps is documented in CSCuc72705 - NineHills feature, FlexConnnect Client ACL support from AAA.


Wireless CWA Authorization Profiles for Dual SSID Provisioning

In dual SSID configurations, wireless devices get redirected to the Self-Registration portal upon connecting to the network. This authorization profile restricts access by triggering the ACL_Provisioning_Redirect access list, which is defined in advance in the Wireless LAN Controller.

Figure E-2 shows the Wireless CWA_CUWN authorization profile, used by CUWN access points, which include FlexConnect access points. Notice that the Airespace ACL Name is no longer used.

Figure E-2 Wireless_CWA_CUWN

 

For devices connecting from access points in a Converged Access environment, the Wireless CWA_Converged authorization profile shown in Figure E-3 is used. Filter-ID is an IETF attribute used by the ISE to instruct the WLC which named-ACL should be applied to the session.

Figure E-3 Wireless CWA_Converged

 

Wireless NSP Authorization Profile for Single SSID Provisioning

In single SSID configurations, wireless devices get redirected to the Self-Registration portal upon connecting to the network. This authorization profile restricts access by triggering the ACL_Provisioning_Redirect access list, which is defined in advance in the Wireless LAN Controller. The Wireless NSP authorization profile is used to redirect devices to the Guest portal using the PEAP authentication protocol.

Figure E-4 shows the Wireless NSP_CUWN authorization profile used by CUWN access points, which include FlexConnect access points. Notice that the Airespace ACL Name is no longer used.

Figure E-4 Wireless NSP_CUWN

 

For devices connecting from access points in a Converged Access environment, the Wireless NSP_Converged authorization profile shown in Figure E-5 is used. Filter-ID is an IETF attribute used by the ISE to instruct the WLC which named-ACL should be applied to the session.

Figure E-5 Wireless NSP_Converged

 

Authorization Policies

Previous to version WLC 7.5+, two on-boarding rules were sufficient to include devices connecting from different locations. These rules, Wireless CWA and Wireless NSP, are shown in Figure 10-33 and Figure 10-36.

The authorization profiles created in the previous sections can be linked to the proper authorization policy. The rules shown in Figure E-6 are dedicated to CUWN/FlexConnect and Converged Access for both single and dual SSID configurations.

Figure E-6 Authorization Policies

 

The behavior is similar for other cases shown in the CVD, such as:

  • Blacklisting wireless devices (e.g., Blackhole WiFi Access)
  • Advanced Use Case and MDM integration (e.g., Internet Until MDM and Quarantine rules)

Those rules need to be divided into different configurations for CUWN/FlexConnect and Converged Access, each with their respective authorization profiles.

These and other rules affected by the new behavior will be addressed in an upcoming release of the CVD.