topic Re: redirect ACL and dACL in Network Access Control

redirect ACL and dACL

williamtan — Wed, 08 Jan 2020 02:55:18 GMT

I have a list of remediation server which included AD, antivirus and SCCM server. There was more than 60 servers around all sites. I have added all servers IP to dACL in ISE. Do I need to add all servers IP to the redirect ACL in switch? Or I just add AD server IP?

Re: redirect ACL and dACL

Greg Gibbs — Wed, 08 Jan 2020 04:20:45 GMT

If the client needs to communicate with remediation servers while the session is in a redirect state (e.g. during a Posture Unknown or NonCompliant state), you will need to exempt those IP addresses from redirection in the Redirect ACL. If a DACL is also being applied by the AuthZ Profile that sends the redirect, it also needs to permit the remediation traffic.

For future reference, this document has some of the best step-by-step details on the Posture flows - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Cheers,

Greg

Re: redirect ACL and dACL

williamtan — Thu, 09 Jan 2020 06:55:11 GMT

But I have stack switches in my environment, can I configure more than 64 line in redirect ACL?

Re: redirect ACL and dACL

Greg Gibbs — Thu, 09 Jan 2020 07:33:26 GMT

I wouldn't recommend it. Switches have limited TCAM compared to routers or firewalls, so we typically do not recommend ACLs or dACLs with more than 30 ACEs max. Especially if that ACL or dACL has a potential to be applied on multiple switchports at the same time.

A better option might be to use a separate remediation VLAN and/or transit ACLs on upstream routers/firewalls to restrict access.

Re: redirect ACL and dACL

Jason Kunst — Thu, 09 Jan 2020 15:36:04 GMT

@Greg Gibbs wrote:

If the client needs to communicate with remediation servers while the session is in a redirect state (e.g. during a Posture Unknown or NonCompliant state), you will need to exempt those IP addresses from redirection in the Redirect ACL. If a DACL is also being applied by the AuthZ Profile that sends the redirect, it also needs to permit the remediation traffic.

For future reference, this document has some of the best step-by-step details on the Posture flows - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Cheers,

Greg

True remember this is for port 80 services only. if the clients are communicating other ports then the URL redirect ACL won't have any impact

Re: redirect ACL and dACL

Greg Gibbs — Thu, 09 Jan 2020 21:47:26 GMT

@Jason Kunst

I'm not sure if that's 100% accurate as the redirect exemption is required for other posture ports like tcp/udp 8905 and 8909.

When working with a customer in the past, we found we had to exempt redirection for traffic like Kerberos and LDAP to allow auth comms required for JAMF as well as specific ports used by McAfee EPO.

Maybe this is dependent on the switch hardware/software version, but I would highly recommend testing the flows in a Non-Prod environment first.

Re: redirect ACL and dACL

hslai — Wed, 15 Jan 2020 04:23:16 GMT

Greg is correct. some dependency on the switch platform and releases.

In general, there are two ways for the ACLs:

1) Use redirect ACL only: What needs to allowed through will be defined as deny.

2) Use redirect ACL and DACL: In this, we may only redirect on TCP 80 (and/or TCP 443), then use DACL to permit other connections. For example:

ip access-list extended ACL-POSTURE-REMEDIATION
 permit tcp any any eq www

DACL_POSTURE_REMEDIATION contains below, where 10.1.100.21 is ISE and 10.1.129.8 is a remediation server:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8905
permit tcp any host 10.1.129.8 eq 80