Filter
Top Products
1-12
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Access Control Lists
Access Control Lists
The operating system allows you to define up to 64 Access Control Lists (ACLs), similar to standard
firewall Access Control Lists. Each ACL can have up to 64 Rules (filters).
Operators can use ACLs to control client access to multiple VPN servers within a given wireless LAN.
If all the clients on a wireless LAN must access a single VPN server, use the IPSec/VPN Gateway
Passthrough setting, described in the “Security Overview” section on page 5-2.
After they are defined, the ACLs can be applied to the management interface, the AP-Manager interface,
or any of the operator-defined interfaces.
Refer to Access Control Lists > New in the Web User Interface Online Help for instructions on
configuring Access Control Lists.
Identity Networking
Cisco Wireless LAN Controllers can have the following parameters applied to all clients associating with
a particular wireless LAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security
Policies, and default Interface (which includes physical port, VLAN and ACL assignments).
However, the Cisco Wireless LAN Controller can also have individual clients (MAC addresses) override
the preset wireless LAN parameters by using MAC Filtering or by Allowing AAA Override parameters.
This configuration can be used, for example, to have all company clients log into the corporate wireless
LAN, and then have clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security
Policies, and Interface (which includes physical port, VLAN and ACL assignments) settings on a
per-MAC Address basis.
When Cisco Wireless LAN Solution operators configure MAC Filtering for a client, they can assign a
different VLAN to the MAC Address, which can be used to have operating system automatically reroute
the client to the management interface or any of the operator-defined interfaces, each of which have their
own VLAN, ACL, DHCP server, and physical port assignments. This MAC Filtering can be used as a
coarse version of AAA Override, and normally takes precedence over any AAA (RADIUS or other)
Override.
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively
be configured to return QoS and ACL on a per-MAC Address basis. Allow AAA Override gives the AAA
Override precedence over the MAC Filtering parameters set in the Cisco Wireless LAN Controller; if
there are no AAA Overrides available for a given MAC Address, the operating system uses the MAC
Filtering parameters already in the Cisco Wireless LAN Controller. This AAA (RADIUS or other)
Override can be used as a finer version of AAA Override, but only takes precedence over MAC Filtering
when Allow AAA Override is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example) must
already be defined in the Cisco Wireless LAN Controller configuration.
In all cases, the operating system will use QoS and ACL provided by the AAA server or MAC Filtering
regardless of the Layer 2 and/or Layer 3 authentication used.
Also note that the operating system will only move clients from the default Cisco WLAN Solution
wireless LAN VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA
Layer 2 authentication.
To configure the Cisco WLAN Solution wireless LANs, refer to the “Configuring Wireless LANs”
section on page 6-2.