Symptom
After following configuration guide steps outlined in: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/config-guide/b_wl_17_10_cg/m_dACL.html
Also outlined (on ISE side) in, linked from the 9800 config guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html
When configuring ISE to send the 9800 a dACL the WLC fails to download it for a few different errors, mainly a AAA incomplete configuration and ACL name error.
dACLs require the usage of "aaa authorization network" method.
One can use the default group radius with the command "aaa authorization network default group radius".
If you do not want to define a default method, then you need to define a named method. In this case, it is a mandatory step to call out the AAA Authorization Method List that ISE needs to use, otherwise the WLC will be unable to download the ACL.
Conditions
Following configuration guide for dACL per
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/config-guide/b_wl_17_10_cg/m_dACL.html
Workaround
Configure AAA Authorization Method List on the 9800 and call this out in an AVP from ISE along with the dACL.
Example:
At WLC:
WLC(config)# aaa authorization network authZlist group authz-server-group
At ISE:
Send this attribute along with the dACL:
cisco-av-pair = Method-List=authZlist
Further Problem Description
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
