WLC ACL Problem

Hi all,
I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
     1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535 Any   Deny           0
     4 In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224 Any     0-65535     0-65535 Any   Deny           0
     6 In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535 Any Permit          69
DenyCounter : 0
Each WLAN is sat on its own separate dynamic interface and own unique subnet.
Any suggestions would be most appreciated.
Thanks.

Hi,
Keep in mind the direction of the ACL.
In means from client destined to WLC
Out means from WLC destined to client.
It should look like this:
Index Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP Action      Counter
     1 In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
Don't forget to apply the ACL on interface or on WLAN.
Regards,
Christos.

Similar Messages

Config RADIUS on WLC 5508 - Problems comunication with NPS Server

Hi,
I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
My WLAN interface is in a different vlan than the management interface, is that a problem?
I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
the logs from the WLC shows this, but i have difficulties interpreting all this data:
*apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
Received EAPOL START from mobile 3c:c2:43:94:3e:bc
dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
I also note this: "Applying Local Bridging Interface Policy for station "
What does this means?

ASA ACL Problems

I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
Thanks,
Patrick

could you provide the show running-config?

Security update fixes ACL problems, almost

So far when running disk permissions, I've had one iMac C2D have no problems reported and the other iMac C2D only have ACL issues on /Library

Open the Terminal application and type:
man chmod
Look under the heading ACL MANIPULATION OPTIONS. The argument that you would use is:
"everyone deny delete"
If you can't understand the manual then leave your handy work alone. It's not a large security breach. chmod, chown, and chflags should only be used when you understand what you are doing.

WLC 2504 problems with one IP address range

I am having an interesting issue configuring a new 2504.
How it is setup:
Port 1 management with vlan tagging on vlan 111
Port 2 trunking with ap-manager2 on vlan 3, 102 on vlan 102 (Not ap-manager), and 1001 on vlan 1001.
All of the vlans have distinctive and unique IP ranges. Vlan 111 is running 172.16.128 /20, 102 is 172.19.252 /23 and vlan 1001 should be running 172.17 /16.
Here is my problem. I can setup all of the dynamic interfaces on the appropriate ip ranges, but for some reason when I configure the 1001 vlan dynamic interface with the /16 address space, I lose connectivity to the GUI managment interface. I have to go in through the CLI and remove the interface or change the IP range. I have tried other /16 address space on that vlan and do not have a problem with them. the 172.17 space appears to be the only one that will not work.
I have attached the config from the controller (Minus some site specific stuff like the SNMP community and wpa stuff.) The config is using a 172.20 /16 right now on the 1001 interface so that I could get into the controller and download the config. It should be 172.17 /16. The acutal IP info should be 172.17.4.253 255.255.0.0 172.17.0.254
My computer is on the 1001 vlan and I have verified the IP is not in use and am using the same subnet, gateway etc as I am trying to configure the wlc with.
Switch config:
Port 1 is plugged into g0/2 with the following config
interface GigabitEthernet0/2
switchport trunk allowed vlan 1,3,102,111,1001
switchport mode trunk
spanning-tree portfast
Port 2 is plugged into fa0/47 and just has switchport mode trunk.
How can I get the interface to work with the proper IP range for vlan 1001?

I finally had a chance to fiddle around with this issue again and have some more information on the problem. It appears to not be an issue with the IP address, but rather with the VLAN. The 172.17.0.0/16 subnet is on VLAN 1001 which it appears the WLC does not care for. This problem is repeatable on the following versions of code that I have tried:
7.0.220.0
7.1.91.0
7.4.110.0 (Not in use for production until we upgrade from WCS to Prime.)
Any thoughts? Moving the 1001 VLAN to another number would be a HUGE undertaking so if there is not an answer within the firmware on the WLC, I will have to bridge two VLANs with bpdufilter enabled... Not my first choice for sure...

ACL problem in 6 and 5.1 sp9? Bug?!

Hi all gurus:
I got this problem for several days, and still cannot solve it. Can
anyone help me?
My design is to put all my beans and connection pool under one "kbf"
acl. And "guest" servlet/jsp accesses these beans by using this "kbf"
account. And it works in 5.1 sp8.
Then i tried to use sp9. The very first time when jsp is compiling
by WLS, all the jsps work correctly! After that, immediately click the
link again, it throws jndi exception. Saying "guest" no permission to
access "kbf" jndi. But my "guest" actually is a servlet/jsp running
inside the server.
So then we tried to use 6 sp2, to see whether we can solve the
problem. And the funny things come out as follows.
I just click my URL link in browser, first time everything is fine,
my data is shown correctly. second time it throws ACL exception ,saying
guest no right to look up my JDBC pool. Click again, the data comes out
again. Clieck again throws same exception. It is a "toggle".
And, for another jsp page/link, (it gets data from two tables),
first time both two tables data are shown. Click some other link, then
come back to click this link, only one table data is shown, then click
this link again, both are shown. It is also a "toggle", slightly
different.
Something really funny going on for this ACL!
Can anyone in BEA tell me more about this ACL issue? Why always
nobody cares to answer these ACL questions? Both in ejb group and
security group?
Or simply nobody is using ACL in their project?
Or i missed out something important? or i am abusing ACL?
Or is it a bug?
Since we are going to production very soon, i need the solution
ASAP. Right now i only have two solutions:
1. stick to 5.1 sp8.
2. grant "guest" permission to all my beans, connection pool, which
means no use for the ACL at all.
Hope someone at least give me an hint. And sorry for the crossing
post.
Thanks.
minjiang

Thanks a lot!
The problem is that i cached the ejb homes and connection pool. So now i use
your first solution, create context everytime, although the performance may be
slow down.
But strange, it works in 5.1 sp6-8.
Thanks again, Dimitri!
minjiang
Dimitri Rakitine wrote:
The security context is associated with thread so, for example:
in a servlet, you create InitialContext as "user" and save it.
Next request which will be "guest" anyway.
So, if you want authentication, you can either
- create InitialContext everytime
- use j2ee security so container will do this automatically:
http://e-docs.bea.com/wls/docs61/webapp/security.html
Dimitri
On Fri, 13 Jul 2001, minjiang wrote:
Hi Dimitri:
Sorry to mail you directly.
I have this question for quite some time. And not receive any
response for my posting, cross posting.
Do you have any idea why my deployment works on 5.1 sp8, but not on
sp9 and 6 sp2?
I noticed bea changed the weblogic.ejb.interal.StatefulEJBObejct,
and StatefulEJBCache in sp9, and this is part of why my application
cannot work. (for one facade session bean looking up other beans in
another acl)
Another part is i described in the forward posting, for my "guest"
jsp/servelt cannot access other acl?
For my understanding, since my facade bean and jsp/servlet only run
inside the WLS server, so as long as the correct credential is supplied
while constructing the jndi context, they should be allowed, right? It
shoud not be only one credential in one thread, which seems WLS is doing
now.
Thanks for help, and any hint or document is appreciated.
minjiang

WLC ACL For Internet Access Only

I've implemented Cicso ISE 3495's with the advanced subscription license. I've built my policy sets, and authorization profiles. It all works great! Here's the issue that I'm having. I have internal employees who bring in their own devices (BYOD). I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet. I've created an ACL (EmpInternetOnly) on the WLC. Here are my rules:
I can get to the intranet, with no issue (ACL lines 1-4). I can't get to the internet whatsoever. I see everything falling down to the deny statement. When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue. Am I missing something here? I've researched this topic on several message boards, but can't find an answer. I've tried to run the acl debug, on the controller, but do not see any output when I run it. It might be because I don't understand the proper format of how to set it up. Any and all replies would be much appreciated! Thanks!
Steve

WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

Hi all,
I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
Logs of my WLC are:
*Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
*apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
*Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
*dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
*apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
*Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
I already go to this link to check the Description of errors-
http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
Appreciate all feedback. Thank you.

Hi Ruben,
a) After successful dot1x authentication, session keys are derived from pairwise master key.
b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
c) If the station does not respond, the AP increments the counter and retransmits the key.
d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
This in most of the cases will be a client driver problem.
Solution :
1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
2) Upgrade the client driver.
*****Help out other by using the rating system and marking answered questions as "Answered"*****

WLC 2106 problem

Hello,
I have problem with new one WLC 2106 controller. I make this basic configuration (after reset):
(Cisco Controller) >show interface summary
Interface Name                   Port Vlan Id IP Address      Type    Ap Mgr Guest
ap-manager                       1    10       10.10.10.21     Static Yes    No
management                       1    10       10.10.10.20     Static No     No
virtual                          N/A N/A      1.1.1.1         Static No     No
At this point, everything works OK. Controller is accesible via HTTPS, AP (one 1130) is connected too. But next I need create new WLAN and another interface VLAN - named ak-lan
config interface create ak-lan
config interface port ak-lan 1
HTTPS acces is still working, but when I configure IP adress:
config interface address dynamic-interface ak-lan 10.10.11.10 255.255.255.0 10.10.11.1
HTTPS acces stops. In fact, it seem like HTTPS starts on new interface - it's accesible via 10.10.11.10, but (after certificate warning) shows only empty page (Page is not accesible..)
I dont have an idea why. I tray downgrade software (originaly comes with 7.0.98.0) to 6.0.196.0, whitch I use on another same controller, but the behavior is the same. Now I use software 6.0.199.4. Again the same behavior.
"show interface summary" says:
(Cisco Controller) >show interface summary
Interface Name                   Port Vlan Id IP Address      Type    Ap Mgr Guest
ak-lan                           1    11       10.10.11.10     Dynamic No     No
ap-manager                       1    10       10.10.10.21     Static Yes    No
management                       1    10       10.10.10.20     Static No     No
virtual                          N/A N/A      1.1.1.1         Static No     No
(Cisco Controller) >
All interfaces (excluding virtual) matched to ping. All ïnterfaces have netmask 255.255.255.0.
There was another strange thing - "show sysinfo" says that I use sw 6.0.199.4 and emergency is 7.0.98.0, but "show boot" says:
(Cisco Controller) >show boot
Primary Boot Image............................... 6.0.199.4 (active)
Backup Boot Image................................ 6.0.196.0
(Cisco Controller) >
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version............................... 4.0.191.0
Emergency Image Version.......................... 7.0.98.0
Build Type....................................... DATA + WPS
System Name...................................... ak-wlc
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.828
IP Address....................................... 10.10.10.20
System Up Time................................... 0 days 0 hrs 46 mins 35 secs
System Timezone Location.........................
Configured Country............................... DE - Germany
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +55 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 0
3rd Party Access Point Support................... Disabled
Number of Active Clients......................... 0
Burned-in MAC Address............................ E0:5F:B9:63:7B:00

Switch is C2960, port Gi0/2:
Gi0/2     T wlc              connected    trunk      a-full a-100 10/100/1000BaseTX
interface GigabitEthernet0/2
description T wlc
switchport trunk allowed vlan 10,11,100
switchport mode trunk
end
VLANs are set properly. Router is ASA 5510, and routing is fine. Morever, interfaces on WLC is accesible via ping (I dot't try telnet or ssh).

GUest WLAN with Anchor WLC - roaming problems

Hello,
my wireless network consists in 3 WLC 4402 which manage 40 APs.
I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
Everiting works fine but I have a problem:
If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
Thnks everybody

Here are the output of show mobility summary.
The last WLC is the anchor.
WLC1
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
WLC2
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
WLC3
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
WLCAnchor
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 4
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up

How can you see what the WLC ACL is denying?

How can you see what the acl on our WLC5508 is denying? The counter keeps on going up but what is getting blocked is nowhere to be seen.

You are right but you can monitor that through the hits counts on the (WLC)Security->Access crontrol list === Hits
It will give you some idea for trouble shooting also you have the cmd line for details analysis.

Leopard Server / Windows / ACL Problem

We have this problem that came up sense we upgraded our servers to Leopard. When Windows users are accessing files (over SMB), the POSIX permissions seem to override the ACLs. This is a problem because applications like Excel will change the permissions.
This worked perfectly in Tiger. The windows user would modify the POSIX permissions all they want, but it wouldn't matter because the ACLs were what mattered.
Does anyone know of a solution. This is a real problem.

Since your issue is caused by OS X Server, you may want to post your question over in the OS X Server forums:
http://discussions.apple.com/category.jspa?categoryID=96

4506, ACL problem

I have 4506 that is used in a lab environment. We utilize the 192.168.X.X split up into vlans
vlan 2 assgined ip address 192.168.0.1
vlan 3 assigned ip address 192.168.1.1
vlan 4 assigned ip address 192.168.2.1
vlan 5 assinged ip address 192.168.3.1
and so on.
here is the problem:
I need the people using 192.168.3.X on vlan 5 to only be able to access outside their vlan on PING (ICMP), DNS (udp 53), Proxy server on port 8080, LDAP (tcp 369), and SSL (tcp 443) this is to all vlans.
And only host 192.168.0.180 on vlan 2
and host 192.168.2.181 on vlan 4
to be able to access all ip's on the vlan 5
Every thing I have tried with extended acls has failed to allow this to happen.
Ken Taylor

here's a small excerpt of something similar i set up on a 6509 using reflexive acl's. (adjust ip's and ports to your liking)...
ip access-list extended vlan232_acl_inbound
evaluate intraffic232
permit tcp any host 192.168.232.20 eq www reflect outtraffic232
permit tcp any host 192.168.232.20 eq 443 reflect outtraffic232
permit tcp any host 192.168.232.20 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.20 range 1024 5000 reflect outtraffic232
permit tcp any host 192.168.232.42 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.42 range 1024 5000 reflect outtraffic232
permit ip host 192.168.51.5 192.168.232.0 0.0.0.255
permit ip 192.168.231.0 0.0.0.255 192.168.232.0 0.0.0.255
permit ip host 206.195.31.0 192.168.232.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.232.0 0.0.0.255
ip access-list extended vlan232_acl_outbound
evaluate outtraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.151.33 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.2.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.51.5
permit ip 192.168.232.0 0.0.0.255 192.168.231.0 0.0.0.255
deny ip 192.168.232.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.232.0 0.0.0.255 any reflect intraffic232
interface Vlan232
ip access-group vlan232_acl_outbound in
ip access-group vlan232_acl_inbound out

Strange ACL problem...

Using Server 10.5.2
Trying to create a custom ACL for a sharepoint where two different groups are allowed permissions for everything except for deleting files and folders. I have set these using File Sharing in Server Admin and ticking the boxes in custom ACL.
I have propagated the permissions through the files and folders in the sharepoint and checked in terminal that they have taken using ls -le.
However, when logging in, the user is able to create a new folder within the sharepoint but not able to change its name (permission denied). They can't delete also (so at least that works!).
If I give the user (group) full access or read and write access, everything is fine but obviously they can delete files...not so good.
The same problem occurs on another sharepoint and also using other users....
Any ideas??
Thanks,
Joel.

i don't know if this still applies, but it should.
check this archived thread:
http://discussions.apple.com/thread.jspa?messageID=1535247

SMB ACL Problem

We have this problem that came up sense we upgraded our servers to Leopard. When Windows users are accessing files (over SMB), the POSIX permissions seem to override the ACLs. This is a problem because applications like Excel will change the permissions.
This worked perfectly in Tiger. The windows user would modify the POSIX permissions all they want, but it wouldn't matter because the ACLs were what mattered.
Does anyone know of a solution. This is a real problem.

OK, here's a tip that may get the situation going for you all. This involves making an adjustment to your server's Samba configuration file, which should be done with the Windows SMB services stopped.
In /etc/smb.conf, add the following line under [global]:
*acl check permissions = no*
This mailing list archive notes the same problem: http://lists.apple.com/archives/macos-x-server/2008/Jan/msg00759.html, and it offered the above solution.
Here's a little more about why this alteration is required: Windows clients work a little differently when determining if a file or folder (an item) can be deleted or not. With simple POSIX permissions, you're allowed to delete an item as long as you have write access to the item's parent folder and as long as the POSIX special permission sticky (owner only delete) bit is not set. With ACLs, deletion can be granted explicitly on the item via the use of delete or it can be granted via implication so long as the item's parent has delete_child. In short, to deny deletion of an item, you must deny delete on the item itself and delete_child on its parent. Now it's starting to get a bit more complicated to determine if some item can or cannot be deleted.
Apparently Windows clients perform a "pre-scan" of a folder's contents ahead of time to determine if an item can or cannot be deleted. The logic behind this "pre-scan" works like this: 1. Assume that the item cannot be deleted. 2. If the pre-scan evaluates effective permissions correctly, and those permissions allow delete, flag the item as being delete-able.
Now when you go to delete the item, Windows just checks the result of its pre-scan. With Leopard, Windows boxes are having trouble evaluating effective permissions from the Darwin ACL model. (I don't know why.) Thus, the pre-scan returns "deletion denied" because that's the default assumption. Windows didn't even try to delete the file; rather, it simply doesn't think this is possible.
The use of *acl check permissions = no* disables this Windows "pre-scanning" behavior. Unfortunately, this can mean that an item that really cannot be deleted appears to be delete-able. In this case the item will "magically reappear" the next time the folder's contents are refreshed in Windows.
Hope this helps! This is my present understanding of the need.
--Gerrit
Message was edited by: Gerrit DeWitt

WLC ACL Problem

Similar Messages

Maybe you are looking for