FlexConnect Security

FlexConnect Access Control Lists

An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs enable access control of network traffic. After ACLs are configured on the controller, you can apply them to the management interface, the AP-Manager interface, any of the dynamic interfaces, or a WLAN. ACLs enable you to control data traffic to and from wireless clients or to the controller CPU. You can configure ACLs on FlexConnect access points to enable effective usage and access control of locally switched data traffic on an access point.

The FlexConnect ACLs can be applied to VLAN interfaces on access points in both the Ingress and Egress mode.

Existing interfaces on an access point can be mapped to ACLs. The interfaces can be created by configuring a WLAN-VLAN mapping on a FlexConnect access point.

The FlexConnect ACLs can be applied to an access point’s VLAN only if VLAN support is enabled on the FlexConnect access point.

Related Information

This section contains the following subsections:

Restrictions for FlexConnect Access Control Lists

  • FlexConnect ACLs can be applied only to FlexConnect access points. The configurations applied are per AP and per VLAN.

  • FlexConnect ACLs are supported on the native VLAN.


    Note


    FlexConnect ACLs are not supported on native VLAN when setting comes from FlexConnect Group.


  • You can configure up to 512 ACLs on a Cisco Wireless Controller. Each rule has parameters that affect its action. When a packet matches all the parameters pertaining to a rule, the action set pertaining to that rule is applied to the packet.

    • You can define 64 IPv4 address based rules in each ACL.

    • You can define up to 20 URL domain based rules (or filters).

  • Non-FlexConnect ACLs that are configured on the controller cannot be applied to a FlexConnect AP.

  • FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or egress.

  • All ACLs have an implicit deny all rule as the last rule. If a packet does not match any of the rules, it is dropped by the corresponding access point.

  • ACLs mapping on the VLANs that are created on an AP using WLAN-VLAN mapping, should be performed on a per-AP basis only. VLANs can be created on a FlexConnect group for AAA override. These VLANs will not have any mapping for a WLAN.

  • ACLs for VLANs that are created on a FlexConnect group should be mapped only on the FlexConnect group. If the same VLAN is present on the corresponding AP as well as the FlexConnect group, AP VLAN will take priority. This means that if no ACL is mapped on the AP, the VLAN will not have any ACL, even if the ACL is mapped to the VLAN on the FlexConnect group.

  • Ensure the FlexConnect ACL and the regular ACL names are not the same while configuring a WLAN for FlexConnect local switching.

  • AAA client ACL support:

    • Before the AAA sends the client ACL, ensure that the ACL is created on a FlexConnect group or an AP. The ACL is not downloaded to the AP dynamically when the client gets associated with the AP.

    • A maximum of 96 ACLs can be configured on an AP. Each ACL can have a maximum of 64 rules.

    • FlexConnect ACLs do not have directions. The entire ACL is applied as ingress or egress.

    • The ACL returned by the AAA is applied on both ingress and egress on the 802.11 side of the client.

  • Cisco Wave 2 and 802.11ax APs: When FlexConnect ACLs are applied to both wired and 802.11 interfaces, the client traffic honors only the ACL that is mapped to the 802.11 interface and not the ACL that is mapped to the wired interface.


Note


A Local Switching WLAN is configured and ACL is mapped to a FlexConnect group with an ACL. The ACL has set of deny and permit rules. When you associate a client to the WLAN, the client needs to have DHCP permit rule added for getting the IP address.

Configuring FlexConnect Access Control Lists (GUI)

Procedure


Step 1

Choose Security > Access Control Lists > FlexConnect Access Control Lists > IPv4 ACL/IPv6 ACL.

The FlexConnect ACL page is displayed.

This page lists all the FlexConnect ACLs configured on the controller. This page also shows the FlexConnect ACLs created on the corresponding controller. To remove an ACL, hover your mouse over the blue drop-down arrow that is next to the corresponding ACL name and choose Remove.

Step 2

Add a new ACL by clicking New.

The Access Control Lists > New page is displayed.

Step 3

In the Access Control List Name field, enter a name for the new ACL. You can enter up to 32 alphanumeric characters.

Step 4

Click Apply.

Step 5

Click the name of the new ACL after the Access Control Lists page is displayed again.

When the Access Control Lists > Edit page appears, hover over Add Rule, and select one of the two options:

  • IP Rule—IP address based rule. A controller supports 512 ACLs with 64 rules in each ACL.

  • URL Rule—Domain name-based rule. A controller supports 512 ACLs with 20 rules in each ACL.

Step 6

Configure an IP address based rule for a given FlexConnect ACL as follows:

  1. Choose IP Rule to create an IP address based rule.

    The Access Control Lists > Rules > New page is displayed.

  2. The controller supports up to 64 rules for each IP address-based ACL. These rules are listed in order from 1 to 64. In the Sequence field, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for this ACL.

    Note

     

    If rules 1 to 4 are already defined and you add rule 29, it is added as rule 5. If you add or change a sequence number of a rule, the sequence numbers of the other rules are automatically adjusted to maintain a continuous sequence. For instance, if you change a rule’s sequence number from 7 to 5, the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7, respectively.

  3. From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL is applicable:

    • Any—Any source (This is the default value.).

    • IP Address—A specific source. If you choose this option, enter the IP address and netmask of the source in the corresponding fields.

  4. From the Destination drop-down list, choose one of these options to specify the destination of the packets to which this ACL applies:

    • Any—Any destination (This is the default value.).

    • IP Address—A specific destination. If you choose this option, enter the IP address and the details of the destination in the relevant fields.

  5. From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. The protocol options that you can use are the following:

    • Any—Any protocol (This is the default value.).

    • TCP

    • UDP

    • ICMP—Internet Control Message Protocol

    • ESP—IP Encapsulating Security Payload

    • AH—Authentication Header

    • GRE—Generic Routing Encapsulation

    • IP in IP—Permits or denies IP-in-IP packets

    • Eth Over IP—Ethernet-over-Internet Protocol

    • OSPF—Open Shortest Path First

    • Other—Any other Internet-Assigned Numbers Authority (IANA) protocol

      Note

       
      If you choose Other, enter the number of the desired protocol in the Protocol field. You can find the list of available protocols in the INAI website.

    The controller can permit or deny only the IP packets in an ACL. Other types of packets (such as Address Resolution Protocol (ARP) packets) cannot be specified.

    If you choose TCP or UDP, two more parameters—Source Port and Destination Port, are displayed. These parameters enable you to choose a specific source port and destination port or port range. The port options are used by applications that send and receive data to and from the networking stack. Some ports are designated for certain applications, such as Telnet, SSH, HTTP, and so on.

  6. From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP) value of this ACL. DSCP is an IP header field that can be used to define the quality of service across the Internet.

    • Any—Any DSCP (This is the default value.).

    • Specific—A specific DSCP from 0 to 63, which you enter in the DSCP field.

  7. From the Action drop-down list, choose Deny to cause this ACL to block packets, or Permit to cause this ACL to allow packets. The default value is Deny.

  8. Click Apply.

    The Access Control Lists > Edit page is displayed on which the rules for this ACL are shown.

  9. Repeat this procedure to add more rules, if required, for this ACL.

Step 7

Configure a URL domain-based rule for a given FlexConnect ACL:

  1. Choose URL Rule to create a URL domain-based rule.

    The Access Control Lists > URL Rules > New page is displayed.

  2. The controller supports up to 20 rules for each ACL. These rules are listed in order from 1 to 20. In the Sequence field, enter a value (between 1 and 20) to determine the order of this rule in relation to any other rules defined for this ACL.

    Note

     

    If rules 1 to 4 are already defined and you add rule 19, it is added as rule 5. If you add or change a sequence number of a rule, the sequence numbers of the other rules are automatically adjusted to maintain a continuous sequence. For instance, if you change a rule’s sequence number from 7 to 5, the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7, respectively.

  3. In the URL field, enter the Fully Qualified Domain Name (FQDN).

    The URL domain name should be given in a valid format, for example, Cisco.com.

  4. From the Action drop-down list, choose Deny to cause this ACL to block packets, or Permit to cause this ACL to allow packets. The default value is Deny.

  5. Click Apply.

    The Access Control Lists > Edit page is displayed on which the rules for this ACL are shown.

  6. Repeat this procedure to add more rules, if required, for this ACL.

Step 8

Configure Local Web Authentication for FlexConnect:

  1. Choose WLANs > WLAN ID > Security, select Layer 3.

  2. From the Preauthentication ACL > WebAuth FlexAcl drop-down list, choose the ACL option that you want to apply to the WLAN.

Step 9

Configure Central Web Authentication for FlexConnect:

  1. Choose Wireless > FlexConnect Groups.

    The FlexConnect Groups page appears.

  2. Click the Group Name link of the FlexConnect Group for which you want to configure Central Web Authentication.

  3. Click the ACL Mapping > Policies tab.

  4. Select the policy from the Policy ACL from the drop-down list.

  5. Click Add.

  6. Choose WLANs > WLAN ID > Security, to open the WLANs Edit page.

  7. In the Security tab, configure the following parameters:

    • Check the MAC Filtering check box in the Layer 2 Security tab.

    • Set Layer 3 Security to None from the drop-down list in the Layer 3 tab.

  8. In the Advanced tab, configure the following parameters.

    • Check the Allow AAA Override check box to enable AAA override.

    • Choose ISE NAC from the NAC State drop-down list.

  9. Save the configuration.


Configuring FlexConnect Access Control Lists (CLI)

Use the following commands on the controller to configure FlexConnect ACLs:

Procedure


  • Create or delete an ACL on a FlexConnect access point by entering this command:

    config flexconnect [ipv6] acl { create | delete } name

    The IPv4 ACL name of up to 32 characters is supported.

    The [ipv6] option is introduced in Release 8.8. Post-authentication IPv6 ACL is supported for both central and local authentication of FlexConnect WLANs. This ACL will be applied to client when the client moves to Run state.

  • Associate a FlexConnect ACL to a WLAN.

    1. Enable web authentication by entering this command:

      config wlan security web-auth enable wlan_id

    2. Configure the FlexConnect ACL to a WLAN by entering this command:

      config wlan security web-auth flexacl wlan_id acl_name

  • Configure an IP address based rule for an ACL

    1. Add an IP address based rule to the FlexConnect ACL by entering this command:

      config flexconnect [ipv6] acl rule add acl-name rule-index

    2. Configure a rule's source IP address and netmask by entering this command:

      config flexconnect [ipv6] acl rule source address acl-name rule-index ipv4-addr subnet-mask

    3. Configure a rule’s source port range by entering this command:

      config flexconnect [ipv6] acl rule source port range acl-name rule-index start-port end-port

    4. Configure a rule's destination IP address and netmask by entering this command:

      IPv4—config flexconnect acl rule destination address acl-name rule-index ipv4-addr subnet-mask

      IPv6—config flexconnect ipv6 acl rule destination address acl-name rule-index ipv6-addr prefix-len

    5. Configure a rule’s destination port range by entering this command:

      config flexconnect [ipv6] acl rule destination port rangeacl-name rule-index start-port end-port

    6. Configure the rule's IP protocol by entering this command:

      config flexconnect [ipv6] acl rule protocol acl-name rule-index protocol

      Specify an index value between 0 and 64. Specify the protocol value between 0 and 255 or ‘any’. The default is ‘any.’

    7. Specify the differentiated services code point (DSCP) value of the rule index by entering this command:

      config flexconnect [ipv6]acl rule dscp acl-name rule-index dscp-value

      DSCP is an IP header that can be used to define the quality of service across the Internet. Enter a value between 0 and 63 or the value any . The default value is any .

    8. Set the Permit or deny action to the rule by entering this command:

      config flexconnect [ipv6] acl rule actionacl-name rule-index {permit |deny}

    9. Change the index value for an ACL rule by entering this command:

      config flexconnect [ipv6]acl rule change index acl-name old-index new-index

    10. Swap the index values between two rules by entering this command:

      config flexconnect [ipv6] acl rule swap acl-name index-1 index-2

    11. Delete a rule from the FlexConnect ACL by entering this command:

      config flexconnect [ipv6] acl rule delete name

    12. Apply an ACL to the FlexConnect access point by entering this command:

      config flexconnect [ipv6] acl apply acl-name

  • Configure a URL domain-based rule for an ACL.

    1. Add or delete a URL domain to an ACL by entering this command:

      config flexconnect [ipv6] acl url-domain { add | delete } acl-name index

    2. Add or edit the URL in a rule of a FlexConnect ACL by entering this command:

      config flexconnect [ipv6] acl url-domain url acl-name index url-name

      Enter the Fully Qualified Domain Name (FQDN).

    3. Set the permit or deny action to all the URLs in the FlexConnect ACL by entering this command:

      config flexconnect [ipv6] acl url-domain action acl-name index { permit | deny }

      Default action is to deny.

  • [Optional] Add a VLAN on a FlexConnect access point by entering this command:

    config ap flexconnect vlan add acl vlan-id ingress-aclname egress-acl-name ap-name

  • Use the following command on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs to view information that is related to FlexConnect ACLs:

  • show flexconnect wlan l2acl

    Displays L2 ACLs configured on the WLAN.


  • Viewing and Debugging FlexConnect Access Control Lists (CLI)

    Use the following commands on the controller to view information related to FlexConnect ACLs:

    Procedure


  • show flexconnect acl summary —Displays a summary of the ACLs.

  • show client detail mac-address —Displays AAA override ACL.

  • show flexconnect acl detailed acl-name —Displays the detailed information about the ACL.

  • debug flexconnect acl {enable | disable} —Enables or disables the debugging of FlexConnect ACL.

  • debug capwap reap —Enables debugging of CAPWAP.

  • Use the following commands on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs to view information related to FlexConnect ACLs:

  • show flexconnect vlan-acl —Displays detailed information about the ACLs configured on the VLANs on the FlexConnect APs.

  • show flexconnect wlan l2acl —Displays detailed information about the Layer 2 ACLs configured on the WLAN.

  • show ip access-lists —Displays information about the ACLs configured for web authentication.


  • Configuring CAPWAP Message Aggregation (CLI)

    Deployments with large number of FlexConnect APs should have CAPWAP message aggregation enabled. In such deployments, if CAPWAP message aggregation is disabled, the ACL and AVC settings on APs are found missing. At the time when the AP settings are missing, messages similar to the following are displayed in the controller message log:

    Capwap Retransmission Queue Full for AP 38:ed:18:cd:f0:60

    With the debug capwap errors enable in effect, errors similar to the following might be observed:

    *spamReceiveTask: Aug 22 22:21:09.342: [PA] 00:11:0a:04:60:4d Unable to get RadId. Sending of PMK cache entry to all APs in flexconnect group failed :: bssid 00:00:00:00:00:00

    *spamApTask1: Aug 22 22:21:43.809: [PA] 38:ed:18:cd:f0:60 Queue already full

    *spamApTask1: Aug 22 22:21:43.809: [PA] 38:ed:18:cd:f0:60 Failed to send [XXX] payload

    This issue is observed especially in the following conditions:

    • FlexConnect ACLs and/or AVC in use

    • A large number of WLANs in use

    Workaround is to enter the command described below.

    Procedure

    • Enable CAPWAP message aggregation by entering this command:

      config advanced capwap-message-aggregation enable


      Note


      In Release 8.5 and earlier releases, the default setting for this command is disabled. In Release 8.6 and later releases, the default setting is enabled.


    Authentication, Authorization, Accounting Overrides

    The Allow Authentication, Authorization, Accouting (AAA) Override option of a WLAN enables you to configure the WLAN for authentication. It enables you to apply VLAN tagging, QoS, and ACLs to individual clients based on the returned RADIUS attributes from the AAA server.

    AAA overrides for FlexConnect access points introduce a dynamic VLAN assignment for locally switched clients. AAA overrides for FlexConnect also support fast roaming (Opportunistic Key Caching [OKC]/ Cisco Centralized Key management [CCKM]) of overridden clients.

    VLAN overrides for FlexConnect are applicable for both centrally and locally authenticated clients. VLANs can be configured on FlexConnect groups.

    If a VLAN on the AP is configured using the WLAN-VLAN, the AP configuration of the corresponding ACL is applied. If the VLAN is configured using the FlexConnect group, the corresponding ACL configured on the FlexConnect group is applied. If the same VLAN is configured on the FlexConnect group and also on the AP, the AP configuration, with its ACL takes precedence. If there is no slot for a new VLAN from the WLAN-VLAN mapping, the latest configured FlexConnect group VLAN is replaced.

    If the VLAN that was returned from the AAA is not present on the AP, the client falls back to the default VLAN configured for the WLAN.

    Before configuring a AAA override, the VLAN must be created on the access points. These VLANs can be created by using the existing WLAN-VLAN mappings on the access points, or by using the FlexConnect group WLAN-VLAN mappings.

    AAA Override for IPv6 ACLs

    In order to support centralized access control through a centralized AAA server such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL as configured on the controller.


    Note


    AAA override for IPv6 is not supported on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs.

    AAA Overrides of Bidirectional Rate Limiting on an AP and Controller

    You can have AAA overrides for FlexConnect APs to dynamically assign QoS levels and/or bandwidth contracts for both locally switched traffic on web-authenticated WLANs and 802.1X-authenticated WLANs.

    There is an option to select the downstream rate limit through the QoS profile page. Users that already make use of QoS profiles functionality have additional granularity and capabilities.

    The trade-off with configuring the rate limits under the QoS profile is that there are only four QoS profiles available. Thus, there are only four sets of configuration options to use.

    Also, because the QoS profile is applied to all clients on the associated SSID, all clients connected to the same SSID will have the same rate limited parameters.

    Table 1. Rate-Limiting Parameters
    AAA QoS Profile of AAA WLAN QoS Profile of WLAN Applied to Client
    100 Kbps 200 Kbps 300 Kbps 400 Kbps 100 Kbps
    X 200 Kbps
    X X 300 Kbps
    X X X 400 Kbps
    X X X X Unlimited

    Important Guidelines

    • Rate limiting is supported for APs in Local and FlexConnect mode (both Central and Local switching).

    • When the controller is connected and central switching is used, the controller handles the downstream enforcement of per-client rate limit only.

    • APs handle the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic.

    • For the locally switched environment, both upstream and downstream rate limits will be enforced on the AP. The enforcement on the AP will take place in the dot11 driver. This is where the current classification exists.

    • In both directions, per-client rate limit is applied/checked first and per-SSID rate limit is applied/checked second.

    • On virtual controller platforms, per-client downstream rate limiting is not supported in FlexConnect central switching.

    • The WLAN rate limiting will always supercede the global QoS setting for WLAN and user.

    • Rate limiting works only for TCP and UDP traffic. Other types of traffic (IPSec, GRE, ICMP, CAPWAP, etc) cannot be limited.

    • Using AVC rule, you can limit the bandwidth of a particular application for all the clients joined on the WLAN. These bandwidth contracts coexist with per-client downstream rate limiting. The per-client downstream rate limits takes precedence over the per-application rate limits.

    • Bidirectional rate limiting (BDRL) configuration in a mobility Anchor-Foreign setup needs to be done both on Anchor and Foreign controller. As a best practice, we recommend that you do identical configuration on both the controllers to avoid breakage of any feature.

    • Per WLAN BDRL is supported on these currently supported Cisco Wave1 APs: 1600, 2600, 3600, 1700, 2700, 3700, and 3500.

    • For information about BDRL support on Cisco Wave 2 APs, see the FlexConnect Feature Matrix section in the Feature Matrix for Cisco Wave 2 Access Points and Wi-Fi 6 (802.11ax) Access Points.

    • BDRL is not supported in mesh platforms. On Cisco Virtual Wireless Controller (vWLC), per-client downstream rate limiting is not supported in FlexConnect central switching.

    • In Release 8.5, in anchor-foreign scenario with Cisco Wave 2 APs, only per-client downstream works. The per-client upstream, per-SSID downstream, and per-SSID upstream are not supported. However, all of these are supported in Cisco Wave 1 APs.

      In Release 8.8 and later releases, in anchor-foreign scenarios with Cisco Wave 2 and 802.11ax APs, all of per-client upstream and downstream and per-SSID upstream and downstream are supported, provided that the configuration is the same in both and anchor and foreign controllers.

    Related Documentation: Wireless Bi-Directional Rate Limiting Deployment Guide

    This section contains the following subsections:

    Restrictions on AAA Overrides for FlexConnect

    • Before configuring a AAA override, VLANs must be created on the access points. These VLANs can be created by using the existing WLAN-VLAN mappings on the access points, or by using the FlexConnect group WLAN-VLAN mappings.

    • At any given point, an AP has a maximum of 16 VLANs. First, the VLANs are selected as per the AP configuration (WLAN-VLAN), and then the remaining VLANs are pushed from the FlexConnect group in the order that they are configured or displayed in the FlexConnect group. If the VLAN slots are full, an error message is displayed.

    • Only VLAN and ACL override are supported on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs.

    • The AAA ACLs and VLAN ACLs are applied on the client in the following order of precedence:

      • Wave 1 APs: Both the ACLs are active simultaneously on the client.

      • Wave 2 APs: AAA ACLs override the VLAN ACLs on the client.

    • AAA override for IPv6 is not supported on the Cisco Aironet 1830 Series and 1850 Series FlexConnect APs.

    • For bidirectional rate limiting:
      • If bidirectional rate limiting is not present, AAA override cannot occur.

      • The QoS profile of a client can be Platinum even if the QoS profile of the corresponding WLAN is Silver. The AP allows the client to send packets in a voice queue. However, Session Initiation Protocol (SIP) snooping is disabled on the WLAN to ensure that the traffic for a SIP client does not go to the voice queue.

      • The ISE server is supported.

      • The upstream rate limit parameter is equal to the downstream parameter, from AAA override.

      • Local authentication is not supported.

    • If you assign multiple VLAN names to a VLAN ID, the client display represents the first matching VLAN name that is assigned to the VLAN ID.

    Configuring AAA Overrides for FlexConnect on an Access Point (GUI)

    Procedure


    Step 1

    Choose Wireless > All > APs.

    The All APs page is displayed. This page lists the access points associated with the controller.

    Step 2

    Click the corresponding AP name.

    Step 3

    Click the FlexConnect tab.

    Step 4

    Enter a value for Native VLAN ID.

    Step 5

    Click the VLAN Mappings button to configure the AP VLANs mappings.

    The following parameters are displayed:

    • AP Name—The access point name.
    • Base Radio MAC—The base radio of the AP.
    • WLAN-SSID-VLAN ID Mapping—For each WLAN configured on the controller, the corresponding SSID and VLAN IDs are listed. Change a WLAN-VLAN ID mapping by editing the VLAN ID column for a WLAN.
    • Centrally Switched WLANs—If centrally switched WLANs are configured, WLAN–VLAN mapping is listed.
    • AP Level VLAN ACL Mapping—The following parameters are available:
      • VLAN ID—The VLAN ID.

      • Ingress ACL—The Ingress ACL corresponding to the VLAN.

      • Egress ACL—The Egress ACL corresponding to the VLAN.

      Change the ingress ACL and egress ACL mappings by selecting the mappings from the drop-down list for each ACL type.

    • Group Level VLAN ACL Mapping—The following group level VLAN ACL mapping parameters are available:
      • VLAN ID—The VLAN ID.

      • Ingress ACL—The ingress ACL for this VLAN.

      • Egress ACL—The egress ACL for this VLAN.

      Note

       

      Group-level VLAN-ACL mapping is applied only to existing VLAN interfaces on the AP. New VLANs are not created on the AP. To add a VLAN interface, WLAN-VLAN mapping needs to be created at either the AP-level or at the group-level.

    Step 6

    Click Apply.


    Configuring AAA Overrides for FlexConnect on an Access Point (CLI)

    To view AAA override information, use the following commands on the Cisco Aironet 1830 Series and 1850 Series APs:

    Procedure

    • config ap flexconnect policy acl add acl-name ap-name

      Configures AP-level policy ACL

    • config flexconnect group group-name policy acl add acl-name

      Configures group-level policy ACL

    Configuring VLAN Overrides for FlexConnect on an Access Point (CLI)

    To configure VLAN overrides on a FlexConnect access point, use the following command:

    config ap flexconnect vlan add vlan-id acl ingress-acl egress-acl ap_name

    You can configure VLANs, and ACLs as AAA overrides. This information is sent as vendor-specific attributes (VSAs) from the RADIUS server to the AP. To view or debug the VLAN overrides, use the following commands on the Cisco Aironet 1830 Series and 1850 Series APs:
    • debug authentication interface interface-name {dot1x | dot11}

    • show flexconnect {pmk | dot11r | cckm}

    • debug flexconnect dot11r

    Configuring QoS for FlexConnect on an Access Point (CLI)

    To view QoS information, use the following commands on the Cisco Aironet 1830 Series and 1850 Series APs:

    Procedure

    • show flexconnect wlan qos —Displays the various QoS policies with their priorities like the example below:

      
      . . .
      . . .
      WLAN QoS Priorities:
         port maximum unicast_default multicast_default
       apr0v0       3               3                 3
       apr0v1       6               6                 6
       apr0v2       6               6                 6
       apr0v3       2               2                 2
       apr0v4       3               3                 3
       apr0v5       5               5                 5
       apr0v6       0               0                 0
       apr0v7       2               2                 2
       apr0v8       2               2                 2
       apr0v9       3               3                 3
      apr0v10       6               6                 6
      apr0v11       3               3                 3
      apr0v12       3               3                 3
      apr0v13       3               3                 3
      apr0v14       3               3                 3
      apr0v15       3               3                 3
       apr1v0       3               3                 3
       apr1v1       6               6                 6
       apr1v2       6               6                 6
       apr1v3       2               2                 2
       apr1v4       3               3                 3
       apr1v5       5               5                 5
       apr1v6       0               0                 0
       apr1v7       2               2                 2
       apr1v8       2               2                 2
       apr1v9       3               3                 3
      apr1v10       6               6                 6
      apr1v11       3               3                 3
      apr1v12       3               3                 3
      apr1v13       3               3                 3
      apr1v14       3               3                 3
      apr1v15       3               3                 3
       apr2v0       0               0                 0
       apr2v1       0               0                 0
       apr2v2       0               0                 0
       apr2v3       0               0                 0
       apr2v4       0               0                 0
       apr2v5       0               0                 0
       apr2v6       0               0                 0
       apr2v7       0               0                 0
       apr2v8       0               0                 0
       apr2v9       0               0                 0
      apr2v10       0               0                 0
      apr2v11       0               0                 0
      apr2v12       0               0                 0
      apr2v13       0               0                 0
      apr2v14       0               0                 0
      apr2v15       0               0               
      . . .
      . . .
      
    • show dot11 qos —Displays the configured 802.11 QoS policy maps.

      
      
      Qos Policy Maps
      
      no policymap
      Qos Stats
      
      total packets:   0
      dropped packets: 0
      marked packets:  0
      shaped packets:  0
      policed packets: 0
      
      

    Software Defined Access and FlexConnect Post Authentication IPv6 ACL Support

    This feature enables support for IPv6 ACLs in Fabric mode, central and local FlexConnect authentication on controllers. These ACLs support clients when they are in run or forwarding state.

    If you have a WLAN that has Fabric mode in enabled state and configured for post-authentication IPv6 ACLs and AAA override is not enabled, the IPv6 ACL is applied to clients that associate with the WLAN. The clients that are served by APs within the same FlexConnect group remain governed by the applicable ACL. The allowed traffic is locally switched, denied traffic is dropped at the AP.

    Restrictions on Software Defined Access and FlexConnect Post Authentication IPv6 ACL Support

    Post-authentication DNS ACL for both IPv4 and IPv6 is not supported. However pre-authentication ACL is supported with 20 domain names per ACL.

    Applying FlexConnect Access Control Lists (GUI)

    Configuring Local Web Authentication for a WLAN with SDA and FlexConnect (GUI)

    Configuring Local Web Authentication for FlexConnect for a WLAN.
    Procedure

    Step 1

    Choose WLANs > WLAN ID > Security > Layer 3 tab.

    Step 2

    From the Preauthentication ACL > WebAuth Flex IPv4 / WebAuth Flex IPv6 drop-down list, choose the ACL that you want to apply to the WLAN.

    Step 3

    Save the configuration.


    Configuring Local Web Authentication from FlexConnect Groups for FlexConnect APs (GUI)

    Procedure

    Step 1

    Choose Wireless > FlexConnect Groups.

    The FlexConnect Groups page appears.

    Step 2

    Click the Group Name link of the FlexConnect Group for which you want to configure the ACL.

    Step 3

    Click the ACL Mapping > WLAN-ACL mapping tab.

    Step 4

    From the WebAuth IPv4 ACL/ WebAuth IPv6 ACL, choose the ACL you want to apply from the drop-down list.

    Step 5

    Click Add.

    Step 6

    Save the configuration.


    Configuring Central Web Authentication and Post Authentication ACL from FlexConnect Groups for FlexConnect APs (GUI)

    Procedure

    Step 1

    Choose Wireless > FlexConnect Groups

    The FlexConnect Groups page appears.

    Step 2

    Click the FlexConnect group name for which you want to configure the ACL.

    Step 3

    Click the ACL Mapping > Policies tab.

    Step 4

    From the WebAuth IPv4 ACL/ WebAuth IPv6 ACL, choose the ACL you want to apply from the drop-down list.

    Step 5

    Click Add

    Step 6

    Save the configuration.

    Step 7

    Choose WLANs > WLAN ID > Security to open the WLANs > Edit page.

    Step 8

    In the Security tab, configure the following parameters:

    • Check the MAC Filtering check box in the Layer 2 > Security tab.

    • Set Layer 3 > Security to None from the drop-down list in the Layer 3 tab.

    Step 9

    In the Advanced tab, configure the following parameters.

    • Check the Allow AAA Override check box to enable AAA override.

    • Choose ISE NAC from the NAC State drop-down list.

    Step 10

    Save the configuration.


    Configuring Post-Authentication Fabric ACL for a WLAN (GUI)

    Procedure

    Step 1

    Choose WLANs > WLAN ID > Advanced tab.

    Step 2

    Check the Fabric Enabled check box under the Fabric Configuration section to enable Fabric for this WAN.

    Step 3

    From the Fabric IPv4 ACL / Fabric IPv6 ACL drop-down list, choose the post authentication ACL that you want to add to the Fabric enabled WLAN.

    Step 4

    Save the configuration.


    Applying FlexConnect Access Control Lists (CLI)

    Procedure

    • Configure the Local Web Authentication for a WLAN by entering this command:

      config wlan security web-auth ipv6 flexacl wlan-id {acl name | none}

      Remove the applied ACL by using the none.

    • Configure Local Web Authentication from FlexConnect Groups for FlexConnect APs by entering this command:

      config flexconnect group group-name web-auth wlan wlan-id acl acl-name {enable | disable}

    • Configure the Central Web Authentication and Post Authentication ACL from FlexConnect Groups for FlexConnect APs by entering this command:

      config flexconnect group group-name policy ipv6 acl add acl-name

    • Configuring Post-Authentication Fabric ACL for a WLAN by entering this command:

      config wlan fabric ipv6 acl {acl-name | none} wlan-id

    • Configuring Fabric ACL Template for Central Web Authentication and Post Authentication by entering this command:

      config fabric flex-acl-template template-entry template-name {add | delete} acl-name

      Pushes the ACL to AP and applies it to client through the AAA server.