https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3988473#M541151 <P>Without "authentication open" you are running "closed mode" and the switchport will only allow EAP packets and no user-packets. You need the ACL if you want to operate your switchports in "low-impact-mode" which is quite likely that you want it. But you would not start with it from the beginning. You typically begin with monitor-mode ("authentication open", no Pre-Auth-ACL and the ISE does not send any ACL to the switch) and move later to low-impact-mode ("authentication open", Pre-Auth-ACL and the ISE replaces the ACL with the right one depending on the device/user).</P> Sun, 24 Nov 2019 11:30:29 GMT Karsten Iwen 2019-11-24T11:30:29Z https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3987927#M541150 <P>A quick question about Pre-Auth ACLs.</P><P>&nbsp;</P><P>I'm currently deploying ISE 2.4 for wired 802.1x/MAB.&nbsp; I do NOT have 'authentication open' on the switchports.&nbsp; I do have a monitor mode MAB policy to permit access on the default authZ rule for now until I get all my profile's identified and whatnot.&nbsp; I will deploy TrustSec after i get the profiling process completed.</P><P>&nbsp;</P><P>My question is this.&nbsp; If I do NOT have a pre-auth ACL does this mean the clients have NO access or ALL access while authenticating?&nbsp; I have 802.1x/MAB priority and order on the switchports.&nbsp; Is the Pre-Auth ACL a must-have?&nbsp; What are use-cases to have/not have one and the access results of the clients because of the ACL existing/not-existing.</P><P>&nbsp;</P><P>Thanks for your help.</P> Fri, 22 Nov 2019 15:00:16 GMT https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3987927#M541150 zsmithtek 2019-11-22T15:00:16Z https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3988473#M541151 <P>Without "authentication open" you are running "closed mode" and the switchport will only allow EAP packets and no user-packets. You need the ACL if you want to operate your switchports in "low-impact-mode" which is quite likely that you want it. But you would not start with it from the beginning. You typically begin with monitor-mode ("authentication open", no Pre-Auth-ACL and the ISE does not send any ACL to the switch) and move later to low-impact-mode ("authentication open", Pre-Auth-ACL and the ISE replaces the ACL with the right one depending on the device/user).</P> Sun, 24 Nov 2019 11:30:29 GMT https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3988473#M541151 Karsten Iwen 2019-11-24T11:30:29Z https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3988977#M541152 please check out wired guide <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A> Mon, 25 Nov 2019 15:35:45 GMT https://community.cisco.com/t5/network-access-control/ise-pre-auth-acl-vs-no-pre-auth-acl/m-p/3988977#M541152 Jason Kunst 2019-11-25T15:35:45Z