topic Re: ISE dACL when switchport has a phone and a computer in Network Access Control

ISE dACL when switchport has a phone and a computer

mnkojima — Wed, 26 Apr 2023 12:52:39 GMT

Hello

we are implementing ISE and we authenticate users through MS AD and phones through MAB. We want to enforce authorization by DACL at the access switch.

My question is: since the DACL is applied at the physical port, it will affect both voice and data traffic. Since in my ISE policy set I have one authZ rule for users and another for phones, would it be possible to apply different DACL's (one for phone and another for computer) at that switchport?

Thank you

Marcos

Re: ISE dACL when switchport has a phone and a computer

poongarg — Wed, 26 Apr 2023 14:28:11 GMT

Hi Marcos,

The dACL is applied per session basis. When you connect both the PC and phone, you will see 2 authentication sessions on the switchport when you run the command "show auth session detail interface <>". So you can push different dACL for phone and PC.

HTH

Re: ISE dACL when switchport has a phone and a computer

thomas — Thu, 27 Apr 2023 15:30:58 GMT

@poongarg is correct.

Please see the for best practice configurations including these specific sections that talk about user and phone authorization.