topic Re: DACL for Printers in Network Access Control

DACL for Printers

Srinivasan Nagarajan — Thu, 27 May 2021 08:36:52 GMT

Hi Experts,

Currently, we've an Authorization profile configured for the printers (canon) with the DACL being used is 'permit ip any any'. Now, client would like to restrict just to the basic services as given below:-

permit udp any eq bootpc any eq bootps
permit tcp any any eq 25
permit udp any any eq 53
permit tcp any eq 9100 any
deny ip any any

1. If any extra port needs to be allowed for a device in a network discover the printer ?

2. The above ACL is applied from the source-port perspective (oubound from device). For the return traffic, should it be allowed explicitly?

3.Also, client would like to apply an ACL from RFC1918 address TO this Printer on 'any' services. How can this be done (in addition to DACL)?

Thanks in advance.

Re: DACL for Printers

julian.bendix — Thu, 27 May 2021 08:47:28 GMT

Hey!

1) If another port needs to be allowed.. you will find out once something doesn't work and then you need to add it to the dACL. If you don't know what exactly the printer does, you'll need to capture the traffic (SPAN Port on Switch) or ask the vendor.

2) You don't need to allow the return traffic, the dACL is only applied inbound on the switchport.

3) You can't realize that with the dACL, you should do that somewhere else in the network (Firewall?).

Let me know if that helps.

BR
Juls

Re: DACL for Printers

Srinivasan Nagarajan — Thu, 27 May 2021 09:02:39 GMT

Hi Julian

Thanks for the reply.

2. Yeah, DACL is inbound to the switch port. Does the return traffic from the destination need to be explicitly allowed or permitted automatically ?

3. Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy. Any idea?

Re: DACL for Printers

julian.bendix — Thu, 27 May 2021 09:14:41 GMT

Hey,

2) Yes the return traffic will work, since there is no filter for that direction at all (if you don't add one specifically somewhere else).

3) Unfortunately I don't know .. In all setups I work with we solved this on another level (Firewall etc.).

BR
Juls

Re: DACL for Printers

Srinivasan Nagarajan — Thu, 27 May 2021 09:18:57 GMT

Thanks for the reply and your time. I'll leave it open to other folks to check and assist us for the below:-

Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy. Any idea?

Re: DACL for Printers

john david333 — Mon, 31 Oct 2022 18:34:21 GMT

Thank You for your question I got my issue solved too was having the same issue that annoyed me the most. As I was getting the issue with my Epson Sublimation Printer here instead of the canon.

Re: DACL for Printers

wemav21770 — Mon, 11 Dec 2023 18:27:24 GMT

DACL (Discretionary Access Control List) for printers manages who can access and perform actions (like printing or managing settings) and lists user/group permissions for the printer.