topic Re: ISE 2.4 and Authenticating Printers Using a DACL in Network Access Control

ISE 2.4 and Authenticating Printers Using a DACL

RSundstrom — Wed, 12 Feb 2020 19:19:19 GMT

Hello,

I would like to use a DACL in my ISE deployment to more secure networked printers.

I am currently at ISE 2.4 patch 8. I have a two-node deployment which has been working well.

I am now allowing printers onto the network by adding them to a Endpoint Identity group and then allowing that group network access.

I would like to be more secure than what I am doing now. I have considered certificates but because of the number of printers (about 110) and the variety of printer manufacturers I believe this would be very difficult.

I am now considering adding a DACL to more secure the printers. I have a DACL already created for the Printers Authorization Profile but it is simply "Permit IP any any".

I have researched and I would need to allow only certain ports (515 and 9100) and maybe others.

Can someone direct me to a sample of what a Printer DACL would look like?

Re: ISE 2.4 and Authenticating Printers Using a DACL

Colby LeMaire — Wed, 12 Feb 2020 21:01:18 GMT

Every environment would be different. Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.). Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations. Then you can pick a small area to test with. Use a new authorization rule that adds a condition for a specific network device or a group of test network devices. Test printing different ways and do some packet captures if needed. As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

Re: ISE 2.4 and Authenticating Printers Using a DACL

Anthony O'Reilly — Fri, 12 Mar 2021 00:35:26 GMT

Hi,

Did you apply at dACL for your printing solution?

Re: ISE 2.4 and Authenticating Printers Using a DACL

thomas — Sat, 13 Mar 2021 19:52:15 GMT

@RSundstrom Please do share your findings with us about the various printers and ports!

Re: ISE 2.4 and Authenticating Printers Using a DACL

Greg Gibbs — Sun, 14 Mar 2021 22:45:06 GMT

As @Colby LeMaire mentioned, the DACLs can vary depending on the vendor/model of the printer as well as the features being used. You would definitely need to consult the vendor documentation and the technical team designing/deploying the printer solution to determine exactly what ports/protocols are required. You need to consider TCAM limitations on the switches that will use the DACL as having large ACLs applied to multiple ports can cause TCAM exhaustion and lead to memory issues.

Here is an example DACL we defined for one customer that is using Lexmark printers:

permit tcp any any eq 25
permit udp any any eq 53
permit udp any eq bootpc any eq bootps
permit udp any any eq 162
permit udp any eq 161 any
permit tcp any eq 161 any
permit udp any eq 9300 any range 1024 65534
permit udp any eq 9187 any range 1024 65534
permit tcp any eq 631 any
permit tcp any eq 515 any
permit tcp any eq 443 any
permit tcp any eq 80 any
permit tcp any eq 5000 5001 any
permit tcp any eq 5900 any
permit tcp any any eq 2939
permit tcp any eq 6110 any
permit udp any eq 6100 any eq 6100
permit udp any eq 5353 any
permit tcp any eq 21 any
permit tcp any eq 20 any
permit tcp any eq 9100 any
permit icmp any any echo-reply
deny ip any any

Re: ISE 2.4 and Authenticating Printers Using a DACL

Sina Dy — Thu, 21 Oct 2021 11:52:16 GMT

Hi Team,

I'm looking for help and explain on DACL. Currently, we're planning to improve restriction on IoT device in order to prevent any attacks as well Mac address spoofing.

Kindly, please help to explain as below.

What is the mainly purpose to have DACL? How DACL work with IoT device?

Can we use DACL to limited IoT device in the same VLAN? How it works without network segmentation? example: in case improper network segmentation or allow VLAN.

One more thing, what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

please help share if you have any documents or guideline end to end.

Thank you in advance.

Re: ISE 2.4 and Authenticating Printers Using a DACL

Anthony O'Reilly — Thu, 21 Oct 2021 14:47:49 GMT

Hi @Sina Dy

The main purpose of a dACL is to restrict traffic from the device to the network.

After your IoT device authenticates, it will go through the authorization process, get an authorization profile from the policy set it matches and in the authz profile, you can assign a dACL.

You can enable probes on ISE, from this information that is sent to ISE, profiles can be created. You can create policy sets to match against this profile and you can also select security groups on the same ruleset.

You can also set a VLAN change if matched against the ruleset. This is also completed on the Authz profile.

Hope this makes sense.

Re: ISE 2.4 and Authenticating Printers Using a DACL

Sina Dy — Thu, 21 Oct 2021 15:21:34 GMT

Hi @Anthony O'Reilly ,

Thank you so much.

what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

please help share if you have any documents or guideline end to end.

Re: ISE 2.4 and Authenticating Printers Using a DACL

Anthony O'Reilly — Fri, 22 Oct 2021 15:44:51 GMT

Hi @Sina Dy

Have a look at this, it goes through all the steps. When configuring your dACL add in networks, hosts and/or ports that your IoT device can connect to:

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010100.html

This is also good, old version of ISE but the concept is the same

Authorization Policies > Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World | Cisco Press

Re: ISE 2.4 and Authenticating Printers Using a DACL

sinady — Sat, 23 Oct 2021 16:48:20 GMT

Hi @Anthony O'Reilly ,

Thank you so much for your sharing. I will take a look. if have any other question will drop here.

Re: ISE 2.4 and Authenticating Printers Using a DACL

Anthony O'Reilly — Wed, 03 Nov 2021 11:35:42 GMT

Please rate if this has been helpful.