topic Re: Send a DACL to switch for non-domain device? in Network Access Control

Send a DACL to switch for non-domain device?

Dustin Anderson — Fri, 06 Jan 2017 17:22:07 GMT

OK, we use an unauth acl on switches and send back to use the auth ACL on proper 802.1x verification.

Now, this is annoying to maintain and change and they wanted to see about moving this to ISE. My issue is that if the PC can't be verified, it never runs through the rules. How do I send the unauth as a DACL if the PC can't be verified?

Re: Send a DACL to switch for non-domain device?

kthiruve — Fri, 06 Jan 2017 22:03:21 GMT

Hi Dustin,

You can control the initial traffic with interface ACL's and use DACL after authentication.

If you are using services such as Guest, BYOD as part of url-redirect acl, you can open other traffic using this.

And then after a change of authorization you can send a final DACL.

So there are a couple of ways to handle this.

Thanks

Krishnan

Re: Send a DACL to switch for non-domain device?

Dustin Anderson — Fri, 06 Jan 2017 22:13:32 GMT

ok, so there is no way to get away from an interface ACL. Thought was to block traffic, system comes on and gets a limited access dacl, then if authorized would get the final dacl.

Main reason is systems when imaging are not on the domain, so fail auth at first.

Anyway, just toying around and they were asking about getting the ACL off the switch since they have to force reauth if they change it.

Re: Send a DACL to switch for non-domain device?

kthiruve — Fri, 06 Jan 2017 22:34:26 GMT

Dustin,

You can use autosmart ports on the switch for this, so that you dont have to do it per interface. You can try out interface templates as well. These are switch related configuration. Here is a link to it fyi.

http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/12-2_55_se/configuration/guide/asp_cg.pdf

Also you can use Network access: Auth fail attribute for failed authentication in authorization polcy and limit access.

Thanks

Krishnan