Blacklisting Wireless Devices
To enforce the blacklist permissions, an authorization rule is defined under Policy > Authorization. Figure 22-2 shows the Wireless Black List Default rule enforcing the Blackhole WiFi Access permissions.
Figure 22-2 Wireless Black List Default Authorization Rule
The Blackhole WiFi Access authorization profile is configured under Policy > Policy > Elements > Results > Authorization Profiles, as shown in Figure 22-3. The Access Type is defined as ACCESS_ACCEPT and the following cisco-av-pairs are defined:
- cisco-av-pair: url-redirect=https://ip:port/blackhole/blackhole.jsp. The user gets redirected to this page when a device is in the Blacklist identity group.
- cisco-av-pair: url-redirect-acl=ACL_BLACKHOLE_Redirect. The Wireless LAN Controller must have an ACL named ACL_BLACKHOLE_Redirect configured for the redirection to work at the campus and a FlexConnect ACL at the branch with the same name.
This authorization profile only allows access to the ISE “Unauthorized Network Access” page to inform the user that access to the network has been denied for that device.
Figure 22-3 Blackhole WiFi Access Authorization Profile
The behavior of the two ACLs in the authorization profile is slightly different between CUWN wireless controllers, such as the CT5508 and Flex 7500, and IOS XE based controllers such as the CT5760 and Catalyst 3850. For CUWN wireless controllers, ACL_BLACKHOLE_Redirect functions as both the ACL which controls web redirection, as well as the ACL which controls what the wireless client is allowed to access on the network.
Figure 22-4 shows how the ACL_BLACKHOLE_Redirect access list is defined in a CUWN WLC to only allow access to the ISE and DNS server. By granting access to DNS and ISE, the endpoint is able to reach the blackhole.jsp web page hosted at the ISE.
Figure 22-4 ACL_BLACKHOLE_Redirect ACL
The ACL specifies the following access:
- Allow IP access to and from the DNS server (10.230.1.45).
- Allow IP access to and from the ISE Server (10.225.49.15).
- Deny access to and from all other addresses.
NoteACL_BLACKHOLE serves simply as an extra security configuration. CUWN wireless controllers do not make use of this ACL when URL redirection is specified. For CUWN wireless controllers the ACL_BLACKHOLE ACL can be the same as the ACL_BLACKHOLE_Redirect ACL.
NoteThe ACL behavior has changed in version 7.5+ of the Wireless LAN Controller. The presence of an Airespace ACL Name in the authorization profile affects the webauth redirect functionality for access points operating in FlexConnect mode.
For FlexConnect deployments, the ACL_Provisioning Airespace ACL must be removed from the configuration. This implies that there needs to be two independent authorization profiles for provisioning: one for FlexConnect and CUWN wireless controllers and another one for and Converged Access wireless controllers.
Refer to Appendix E, “Airespace ACLs in WLC 7.5+” for sample configurations.
For endpoints connecting to the branch, a similar FlexConnect ACL is defined and applied to the FlexConnect Group. Figure 22-5 shows the ACL_BLACKHOLE_Redirect FlexConnect ACL. This ACL is similar to the one used for campus devices, shown above, but defined under Security > Access Control Lists > FlexConnect ACLs.
Figure 22-5 ACL_BLACKHOLE_Redirect FlexConnect ACL
To apply this FlexConnect from the branch, select the appropriate FlexConnect Group and click the Policies tab. Add the ACL_BLACKHOLE_Redirect ACL, as shown in Figure 22-6.
Figure 22-6 Policies for Branch1
On converged access products, namely the CT5760 wireless controller or Catalyst 3850 Series switches, both the BLACKHOLE_ACL_Redirect and BLACKHOLE_ACL ACLs must be configured. An example of the BLACKHOLE_ACL_Redirect ACL is shown below.
ip access-list extended ACL_BLACKHOLE_Redirect / Blacklisting Redirection ACL
deny udp any eq bootpc any eq bootps
deny udp any host 10.230.1.45 eq domain
deny ip any host 10.225.49.15
The above ACL specifies the following access:
- Deny DHCP access (bootpc and bootps).
- Deny IP access to and from the DNS server (10.230.1.45).
- Deny IP access to and from the ISE server (10.225.49.15).
- Allow (redirect) all other IP access.
The ACL above causes any web traffic (HTTP or HTTPS) from any source to any destination to be redirected to the blacklisted devices web page within the Cisco ISE.
The authorization profile also applies a second, RADIUS specified local ACL (BLACKHOLE_ACL) across the WLAN for network access. The CT5760 and Catalyst 3850 Design use named ACLs. The name of the ACL is sent from the ISE to the Catalyst 3850 Series switch or the CT5760 wireless controller via the RADIUS Airespace-ACL-Name attribute-value pair within the Airespace dictionary. The specific form for the example is as follows:
Airespace-ACL-Name = ACL_BLACKHOLE
The WLAN access-control ACL (ACL_BLACKHOLE) determines what traffic is allowed on the WLAN by the Catalyst 3850 series switch or the CT5760 wireless LAN controller. An example of the BLACKHOLE_ACL ACL is shown below.
ip access-list extended ACL_BLACKHOLE / Blacklisting Access Control ACL
permit udp any eq bootpc any eq bootps
permit udp any host 10.230.1.45 eq domain
permit ip any host 10.225.49.15
The above access-list specifies the following access:
- Allow DHCP access (bootpc and bootps).
- Allow IP access to and from the DNS server (10.230.1.45).
- Allow IP access to and from the ISE server (10.225.49.15).
- Implicitly deny all other IP access.
The ACL above allows traffic from any source to the blacklisted devices webpage within the Cisco ISE.
Once a device is in the Blacklist identity group, future attempts to connect to the network are denied. When a user opens a web browser on a blacklisted device, the session is redirected to the page shown in Figure 22-7.
Figure 22-7 Unauthorized Network Access
Figure 22-8 shows how a device in the Blacklist attempts to connect to the network and how the Blackhole WiFi Access authorization profile is applied.
Figure 22-8 Device in Blacklist Identity Group
Blacklisting Wired Devices
The user experience when a wired device is blacklisted is similar to a wireless device that has been blacklisted. The ISE authorization policy rule for blacklisting of on-boarded wired devices will be the same for devices connected via Converged Access products and other Catalyst switches for BYOD. When a device is blacklisted and the user attempts to access any web page, the device is re-directed to the portal that lets the user know that the device has been identified as lost. The following steps show how to implement this behavior:
Step 1 Create an ACL_BLACKHOLE downloadable DACL that only allows access to the ISE.
Step 2 Create a URL Redirect ACL called ACL_BLACKHOLE_Redirect on the access layer switch that matches any HTTP or HTTPS traffic.
Step 3 Create a Blackhole Wired Access authorization profile that pushes the DACL and redirect-link to the switch.
Step 4 Define a new rule in the Authorization policy that matches on the blacklisted devices and assigns the authorization profile Blackhole Wired Access.