Cisco ISE and WLC Access-List Design/scalability


I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

Group of users 1 - apply ACL 1 - on Vlan 1

User 2 group - apply ACL 2 - on the Vlan 1

3 user group - apply ACL 3 - on the Vlan 1

The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

Any suggestion is appreciated.

Thank you.

In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

Overall, I see three ways to overcome your current number:

1. reduce the ACL by making them less specific

2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

3. use the SGT/SGA

I hope this helps!

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

  • Cisco ISE and Meraki RADIUS

    I am very new to Cisco ISE and Meraki.  I try to get the Radius configuration for wireless authentication.  When I do a test of the Meraki to ISE, it passes.

    When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy.  I keep hitting the default policy.  I have my Meraki police above the default policy in the strategy defined in article.  I have attached what looks like my strategy game.

    Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:

    And here is where I create the condition of strategy game and you should be able to select the Meraki access points:

    This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.

  • Guest access with ISE and WLC LWA

    Hi guys,.

    Our company try to implement access as guest with dan ISE WLC with the local Web authentication method. But there is problem that comes with the certificate. This is the scenario:

    1. the clients are trying to connect wifi with guest SSID

    2. once it connects, you can open the browser and try to open a Web page (example:

    3, because guests didn't connect, so this link redirect to "ISE Guest Login Page" (become): url



    4. If there is no Login to ISE not installed comments Page, no reliable connection of message message, but it will be fine is they "Add Exception and install the certificate".

    5. once the Guest Login Page will appear and you can enter their username and password.

    6 connection success and they will be redirected to and there pop-up (IP of the Virtual Interface WLC) with the logout button.

    The problem occur in scenario 6, after the success of the opening session, the Web page with the address and the error of certificate ISE IP to is appear.

    I know that it happened when you can has no Page of Login of WLC certificate...

    My Question is, is there a way of tunneling WLC certificate to EHT? Or what we can do for ISE validate certificate WLC, invited didn't need to install the certificate WLC / root certificate before you connect to the Wifi?

    THX 4 your answer and sorry for my bad English...

    Do not mix WLC with ISE comments Portal local Web authentication. Choose one or the other. I suggest the portal + WLC CWA.

  • ISE pre authorise access-list


    I created a list of access-pre approval for cisco ise 1.4, depending on the Switch Configuration required to Support Cisco ISE 2.0 functions, properly profiled Cisco IP phone and download a good list of permit ip access IE, but when I make a PSTN call I hear a one-way audio, when I see the switch connects it show me that RTP has been blocked by default access-list , I have a question when my DACL list is downloaded correctly then why the default ACL is interrupting the RTP, also I see the port number 2000 & 2443 is blocked by default access-list by phone losses its connection to the server, which are used to to the CUCM keepalive.

    Something I'm missing?

    Thank you

    Which is not the same thing?

    Try using the 'details' after the command

  • Critical auth and limited access-list

    I play just with ISE 1.1.4 and auth critical, but I have a pretty locked down from the default access on ports list. Is it possible to replace a list of very restrictive access by default in the event of critical auth?

    It seems as if you are relieant on DACLs to provide access for devices (closed or similar mode) auth criticism is not a viable option?

    Or have I misunderstood, and perhaps "action dead event server authentication allows voice" more I waited.

    I guess I'm looking for something like "event action dead access-list less-restrictiveACL server authentication."

    Thank you


    Why not flip it on its head and have your less-restrictive-ACL default and impose more restrictive things through dACL?

  • ISE and WLC for sanitation of the posture

    Please can someone clarify a few things regarding the ISE and posture wireless.

    (1) is the ACL-POSTURE-REDIRECT used for conversion, or is it just an ACL to redirect some of the posture of the kickoff checking traffic?

    (2) can / a dACL/wACL list must be specified as a sanitation ACL?

    (3) the WLC ACL should be written in long format (manually specify source and dest ports/doesny direction any job?)

    (4) does anyone have working example ACL for redirect (CPC) posture and sanitation (dACL)?

    (5) any other advice or pointers would be as useful as any docs I have found so far, what he TrustSec2, CiscoLive or anything else, do not seem to help me understand sanitation and WLC posture

    Thank you



    This means that strategy available to your customer does not have a rule that will correspond to an entrepreneur who joined the network. Can you post a screenshot of the provisioning of customer policy?

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Cisco ISE and external syslog server

    Hi Security Experts,

    We start with deployment cisco ISE (Identity Services Engine) in our network. We have allocated 250 GB of space for the node (Admin + monitor) ISE.

    I want to know if we can send tracking of nodes of external syslog server logs after a defined time interval.

    For example, newspapers that are more than 10 days are for external syslog server. So basically our node monitoring will have the marbles which are the Max 9 days. Is this possible? Could you tell me some doc that explains the configuration of the same thing?

    Thank you


    No this is not possible via syslog. What you need is database purge, so that the monitoring database is purged after a determined time interval. Here's a guide that will help shed some light on this:

    Tarik Admani
    * Please note the useful messages *.

  • Cisco ISE and the fast user switching


    In our deployment, we are interested in using the "fast user switching" which lies in the functionality of Windows.   After searching for a while, I see that the native Windows supplicant is not compatible with the fast user switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant, I need research to enable the functionality of Switchign user?

    We currently use ISE 1.2 Patch 4.

    Thank you for any assistance.


    Cisco EHT NAC Agent does not support Windows fast user change when you use the native supplicant. This is because there is not clearly the older user disconnecting. When a new user is sent, the Agent is hung on the ID process and the old user session and therefore a new posture cannot take place. According to Microsoft Security policy, it is recommended to disable the fast user switching.


  • ISE and WLC for CWA (Web Central Auth)

    Hi all

    As we know that WLC (i.e. 5508) is intolerant of MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.

    CWA is the result of successful MAB. So, how CWA to work for the wireless? So that means WLC support MAB?


    The term in the wireless world is mac filtering. When mac filtering is fired, you will return the CWA portal in the access-accept.

    Don't forget to set your condition in the authentication policy to continue if the user is not found, while the device can hit the CWA default rule.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Cisco ISE and question Admin CLI


    I have a strange problem with my installation of ISE. First of all, I use AD users for authentication. It works very well on HTTPS. I can connect with my admin AD by HTTPS.

    The problem starts when I try to log in via the CLI (SSH). I got login prompt. When I type my credentials AD that he said "Login Incorrect" and I got the same result if I try it with the local administrator account.

    I tried to reset the password for the local administrator over HTTPS to check this kind of wrong password. But no effect.

    My ISE is installed VMware.

    Experiences with it?


    CLI authentication which is the base Linux OS is not / cannot be bound to AD to the admin authentication. Only, you integrate the application on top of Linux, which in this case is ISE, to AD. So, if you want to connect to the cli shell, you will need to use the username/password you configured during installation. If you do not remember those you need to perform a rest of password via the installation CD / ISO

    Thank you for evaluating useful messages!

  • Cisco ISE and the new Version of AntiVirus... not DAT

    I am ready to go to our VPN ISE users. It was a great test and it seems that we are ready to roll.

    Then comes a new version of our corporate AntiVirus software. We had Kaspersky EndPoint Security v8 since last August. Kaspersky now comes to Endpoint Security v10. It took about 3 months for compliance in ISE Module to allow the NAC Agent to recognize KESv10. But now, when we connect I get an error from the NAC stating bascially that the version of installed KES is no posture installation rules and he can't do anything. (see attachment for the exact wording)

    I remember when we first set up the ISE, there was a screen that broke down the different manufacturers of AV and the different versions that would support ISE/NAC. I have no idea where it is now.

    How to I update my sanitation/policies/rules to take account of two KES10 including, or simply change to allow version 8 +, or even ANY version?

    I'm sure this is a simple solution, but I can't find it. I looked through a lot of documentation, and I even looked through a PDF of global laboratory on-site ISE posturing, and he can find.

    Thank you


    Unfortunately, there are various known bugs related to the use of the browser "bad" that have been around for a while

  • Authentication (Windows Server 2013) AD Cisco ISE problem


    Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version

    Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.


    Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

    Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below: (

    Ping: 0 Mins Ago

    Status: down (

    Ping: 0 Mins Ago

    Status: down

    Last success: Thu Jan 1 10:00 1970

    March 11 failure: read 11:18:04 2013

    Success: 0

    Chess: 11006

    Last success: Fri Mar 11 09:43:31 2013

    March 11 failure: read 11:18:04 2013

    Success: 25

    Chess: 11006

    Domain controller:

    Domain controller type: unknown functional level DC: 5

    Domain name: xx.COM

    IsGlobalCatalogReady: TRUE

    DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

    ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

    Action taken:

    Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

    (2) wireless authentication tested using EAP-FAST, but same problem occurs.

    (3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

    12304 extract EAP-response containing PEAP stimulus / response

    11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

    Evaluate the politics of identity

    15006 set default mapping rule

    15013 selected identity Store - AD1

    24430 Authenticating user in Active Directory

    24444 active Directory operation failed because of an error that is not specified in the ISE

    (4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

    (5) wireless tested on different mobile phones with the same error and laptos

    (6) delete and add new customer/features of AAA Cisco ISE and WLC

    (7) ISE services restarted

    (8) join domain on Cisco ISE

    (9) notes of verified version of ISE 1.1.3 and WLC for any open caveats. Find anything related to this problem.

    10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

    Other possibilities/action:

    1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

    (2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

    Did he experienced something similar to have ideas on why what is happening?

    Thank you.


    (1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

    (2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

    This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.

    Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

    External identity Source OS/Version

    Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

    Active Directory Microsoft Windows 2008 32-bit and 64-bit

    Microsoft Windows Active Directory 2008 R2 64-bit only

    Microsoft Windows Active Directory 2003 32-bit only

  • Cisco vWLC and issue of ISE Central Web Authetication


    I have a problem with a central Web authentication wireless. CWA woking fine wired.

    My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...

    When I try to ping ISE and have an odd result:

    [email protected]/ * /: ~ $ ping

    PING ( 56 (84) bytes of data.

    64 bytes from icmp_seq = 5 ttl = 63 times = 1.45 ms

    64 bytes from icmp_seq = 8 ttl = 63 times = 2.22 ms

    64 bytes from icmp_seq = 10 ttl = 63 times = 1.43 ms

    ^ C

    - - ping statistics

    21 packets transmitted, received 3, 85% packet loss, time 20106ms

    RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms

    When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!

    Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.

    If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).

    In addition, the version of the code you run in your controller and ISE.

    Thank you for evaluating useful messages!

  • Cisco ISE posture assessment and client provisioning


    I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.

    Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.

    In addition, please give me related to posture assessment and the provisioning client logs.

    Thanks in advance.

    You can go through the list link below to download a PDF link

    Assessment of the posture with ISE.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Question of access list for Cisco 1710 performing the 3DES VPN tunnel

    I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

    For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than, cross the VPN tunnel or go directly to the Ethernet0 interface.

    My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

    Any input or assistance would be greatly appreciated.

    Map Test 11 ipsec-isakmp crypto


    match address 120

    Interface Ethernet0


    card crypto Test

    IP nat inside source overload map route sheep interface Ethernet0

    access-list 120 allow ip

    access-list 130 refuse ip

    access-list 130 allow ip any

    sheep allowed 10 route map

    corresponds to the IP 130

    He would go through the interface e0 to the Internet in clear text without going above the tunnel

    Jean Marc

Maybe you are looking for