Downloadable ACLs
A downloadable ACL is a type of access control list that
-
restricts network access to users or devices based on predefined criteria
-
is specified as a list of Access Control Entries (ACEs), and
-
can be maintained centrally in Cisco ISE and downloaded to controllers.
Supporting reference information
You can easily maintain and update ACLs in Cisco ISE.
Each ACE has a matching condition based on packet header fields:
-
IP addresses
-
ports
-
protocols
-
combination of IP addresses, ports, and protocols
-
Result (permit or deny)
ACLs are applied to each controller on a per-wireless-client basis.
Typically, you can configure ACLs in a controller itself. However, you can also configure ACLs on a connected Cisco ISE server and download them to the controller when a wireless client connects.
These ACLs are referred to as downloadable ACLs, per-user Dynamic ACLs, or dACLs.
You can easily maintain downloadable ACLs because they define or update ACLs in Cisco ISE and can be downloaded to all applicable controllers.
(In Cisco IOS-XE 17.8 and earlier releases, you must configure the name in Cisco ISE and define the ACL individually on each controller.)
Feature history for downloadable ACL
|
Release |
Feature |
Feature Information |
||
|---|---|---|---|---|
|
Cisco IOS XE Dublin 17.10.1 |
Downloadable ACL |
The Downloadable ACL (dACL) feature defines and updates access control lists (ACLs) in one place (Cisco ISE) and allows ACL download to all the applicable controllers. In Cisco IOS-XE 17.8 and earlier releases, you had to configure the name in Cisco ISE and define the ACL individually in each of the controllers. The dACL feature is supported only in a centralized controller with Local mode APs.
|
Scale considerations for downloadable ACL
ACL Scale for Controllers
-
Cisco Catalyst 9800-40 Wireless Controller (small or medium): Supports 128 ACLs with 128 ACEs.
-
Cisco Catalyst 9800-80 Wireless Controller (large): Supports 256 ACLs and 256 ACEs.
|
Controllers |
ACL Scale |
|---|---|
|
Cisco Catalyst 9800-40 Wireless Controller (small or medium) |
Supports 128 ACLs with 128 ACEs. |
|
Cisco Catalyst 9800-80 Wireless Controller (large) |
Supports 256 ACLs and 256 ACEs. |
Restrictions for downloadable ACL
Restrictions on dACL usage
These restrictions apply to downloadable ACLs (dACL):
-
dACL does not support FlexConnect local switching.
-
You can use IPv6 dACLs only in Cisco ISE 3.0 or later.
-
You can use the dACL feature only in a centralized controller that uses Local mode Access Points.
Note
The dACL feature is not supported in RLAN environments.
Configuring dACL name and definition in Cisco ISE
Configure dACL in a controller (CLI)
Before you begin
Ensure you have configured the RADIUS server and the aaa-override command in the policy profile. For more information, see Configuring AAA for Local Authentication (CLI).Procedure
|
Step 1 |
Enter global configuration mode. Example: |
|
Step 2 |
Configure the wireless profile policy. Example: |
|
Step 3 |
Configure AAA override to apply policies coming from the Cisco ISE servers. Example: |
|
Step 4 |
Enable the profile policy. Example: |
Configure explicit authorization server list (CLI)
Before you begin
Ensure you have the necessary RADIUS server details and access to the device.Procedure
|
Step 1 |
Enter global configuration mode. Example: |
|
Step 2 |
Specify the RADIUS server name. Example: |
|
Step 3 |
Specify the RADIUS server parameters. Example: |
|
Step 4 |
Specify the authorization and encryption key used between the device and the RADIUS server. Example: |
|
Step 5 |
Return to the configuration mode. Example: |
|
Step 6 |
Create a RADIUS server-group identification. Example:server-group-name refers to the server group name. The valid range is from 1 to 32 alphanumeric characters. |
|
Step 7 |
Create an authorization method list for web-based authorization. Example:You must use the already created authorization method list. |
|
Step 8 |
Return to privileged EXEC mode. Example: |
Verify dACL configuration
Device# show wireless client mac-address <client_mac> detail
Local Policies:
Service Template : wlan_svc_named-policy-profile_1_local (priority 254)
VLAN : 16
Absolute-Timer : 1800
Server Policies:
ACS ACL : xACSACLx-IP-tftpv4_2-62de6299
ACS ACL : xACSACLx-IPV6-tftpv6_2-62de8087
Resultant Policies:
ACS ACL : xACSACLx-IP-tftpv4_2-62de6299
ACS ACL : xACSACLx-IPV6-tftpv6_2-62de8087
VLAN Name : VLAN0016
VLAN : 16
Absolute-Timer : 1800
To verify dACLs, use this commands:
Device# show ip access-lists xACSACLx-IP-tftpv4_2-62de6299
Extended IP access list xACSACLx-IP-tftpv4_2-62de6299
1 deny ip any host 9.8.29.13
2 permit ip any any (58 matches)
Device# show ipv6 access-list xACSACLx-IPV6-tftpv6_2-62de8087
IPv6 access list xACSACLx-IPV6-tftpv6_2-62de8087
deny ipv6 any host 2001:9:8:29:3AAD:A27A:973A:97CC sequence 1
permit ipv6 any any (2 matches) sequence 2
To view all the downloaded dACLs, use this command:
Device# show ip access-lists
Feedback