topic Hi Nic, this should be in Network Access Control

Providing different ACL for the same device depending where connected ?

NicolasDemonty — Mon, 11 Mar 2019 07:25:18 GMT

Hi all,

in a classical and normal ISE - NAC design is it possible to send different downloadable ACL for a same device depending of where it is connected ? I mean for example :

- Laptop X connected in vlan 100 (IP range 10.10.10.0/24) : get downloadable access-list "permit any".

- Same laptop X connected in vlan 20 (IP range 20.20.20.0/24) : get different downloadable access-list "deny all".

I know it is possible to provide dACL based on the IP range but is it also possible to base the ACL on "type of device + IP range" ?

Thanks in advance

Nic

Hi Nic, this should be

nspasov — Wed, 01 Feb 2017 19:11:13 GMT

Hi Nic, this should be possible. I have done this in the past where I had to push a different dACL based on the office location and floor #. For this, I used the "Device-Location" attribute. Thus, switches were grouped based on the device location which I used for the Authorization Rules. For instance, :

If device location = SiteA-Floor-1 then dACL = ACL_1

If device location = SiteA-Floor-3 then dACL = ACL_2

I hope this helps!

Thank you for rating helpful posts!

Hi Neno,

NicolasDemonty — Thu, 02 Feb 2017 07:16:15 GMT

Hi Neno,

thanks for the reply. Actually this method doesn't suit me as I have to do the difference between vlan or IP net and I can have two of the vlans on the same location.

Nic

Before I can provide any

nspasov — Thu, 02 Feb 2017 18:20:25 GMT

Before I can provide any additional suggestions you will need to outline the exact requirements 🙂 Can you give us more details on exactly what you are trying to accomplish?

Thank you for rating helpful posts!