topic Re: Where to find MUD generated ACL in ISE ? in Network Access Control

Where to find MUD generated ACL in ISE ?

darkingdoom — Sun, 09 Jun 2019 17:54:33 GMT

Hey,

I had been playing for a while with MUD, Cisco do provide a sandbox with ISE in which it get a RADIUS packet with MUD URL and after that it forward it to the MUD manager inside the ISE as shown below

So the ISE and the MUD Controller/Manager is one thing since it's included in the ISE

On the sandbox there is demo for uploading a LLDP packet with MUD url as shown below, Sandbox can be requested from here

After that new end point will appear, now i have the following issues

1. ACL should be created from the MUD file, on ISE i was not able to find it anywhere, so where i can found the generated Access Lists ?

2. The Demo and other PCAP files when uploaded get authentication failure on RADIUS as shown below

I will be glad to get answer for the issues above and how to get one complete flow [on the provided demo files]

Re: Where to find MUD generated ACL in ISE ?

ldanny — Wed, 12 Jun 2019 07:23:25 GMT

The authentication failure is expected as ISE does not have the endpoint in its database but the intention of the demo was

to provide a general idea of MU.

For example notice under context visibility that the device is profiled (IOT-MUD-genisyslighting_files_MUD_79590001A4_json)

I agree this is limited and not yet fully functional.

Re: Where to find MUD generated ACL in ISE ?

darkingdoom — Tue, 11 Jun 2019 15:37:34 GMT

Ok,

Will keep following, any estimated duration ?

Re: Where to find MUD generated ACL in ISE ?

Damien Miller — Wed, 12 Jun 2019 00:19:57 GMT

I was under the impression that the ACL component was a future enhancement for MUD and not something that is currently implemented in ISE 2.6. Today ISE will look up MUD and provide endpoint attributes that are visible in Context Visibility, but that is the current extent of it.