ACL Redirect in IOS/ASA/WLC

Abdulfattah · February 24, 2021, 8:14am

Question to KB.

in case of Wired CWA.

I have read a lot of documents and confuse why they configured Deny first then permit.
Example :
Redirect ACL
deny udp any any eq 53
deny udp any any 67
deny ip any host ISE
permit tcp any any eq 80
permit tcp any any eq 443

Can we configure it directly?
Redirect ACl
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any (implicit )

What I understand is that

in IOS/ASA ,
Permit mean – Mean Redirect
Explicit Deny in first Redirect ACL – mean NO Redirect

so what is different between Implicit Deny and Explicit DENY ?

In case of Wireless CWA

in WLC
is there any Implicit DENY in WLC like ASA/IOS Scenario ?

what i Understand -
DENY == Redirect
Permit == No redirect or BLOCK

Please your support in this area

KB-KBITS · February 25, 2021, 6:56pm

The Redirest ACL is downloaded to the Network Device (Switch or WLC). It specifies the traffic that will be redirected towards ISE. The reason for the Deny statements in the Redirect ACL is to tell the Network Device not to redirect the specified traffic. The Deny is for traffic that will allow the End point to get on the network like DHCP/DNS and any traffic that is destined to ISE. If any other traffic comes in, it should redirect it to ISE. Once the authentication takes place, the CoA will override the Redirect ACL. The way you have written it, will only redirect the web traffic and permit the other traffic to go thru without any check.

Abdulfattah · February 25, 2021, 7:49pm

I could not get this statement. Permit other traffic without any check.

Both ACLs should work

Topic		Replies	Views
ISE Dacl how L2 switch process L3 ACL	1	185	November 30, 2022
Wired / Wirless CWA Guest MAB AUTHC	0	205	February 24, 2021
BGP - Confusion	0	135	September 14, 2023
FTD - VPN/Anyconnect Security	3	404	December 21, 2021
FTD- Pre-filter Security	1	318	December 10, 2020

ACL Redirect in IOS/ASA/WLC

Related Topics