topic Re: "time-range" operator in dACL in Network Access Control

"time-range" operator in dACL

rezaalikhani — Fri, 27 Sep 2024 04:32:44 GMT

Hi all;

After searching ISE admin portal, I did not find any useful contents which clarify the usage of "time-range" operator in a dACL. Although ISE actually supports this operator, how can I use it? Does it require the existence of "time-range" configuration on the NAD or ISE supports defining it somewhere?

Thanks

Re: "time-range" operator in dACL

MHM Cisco World — Fri, 27 Sep 2024 07:40:34 GMT

Why you want time range in dacl?

MHM

Re: "time-range" operator in dACL

davidgfriedman — Fri, 27 Sep 2024 07:54:33 GMT

Quasi-relevant $0.02: In a previous position, I once tried lab-testing time range ACLs on an ASA 5510 for the purpose of disabling customer Wi-Fi after hours. Back then, when paying $$ per GB, why have public Wi-Fi leaches when you're closed? I doubt that type of problem exists these days with corporate plans usually being straight priced for bandwidth on monthly connection rates / contracts.

Nowadays the case might be made to prevent illegal activity on public Wi-Fi when you're closed, as I'd think there would be people who might do such a thing in this day and age to mask their activities. Or what if you're open only 9-5, you're in an office building, and people whose offices work longer hours leach off your guest Wi-Fi network all night?

Food for thought (exercises),
David

Re: "time-range" operator in dACL

Aref Alsouqi — Fri, 27 Sep 2024 09:19:17 GMT

I don't believe dACLs on IOS would support time range but I have never tried it through ISE. Based on the below 9800 WLC documentation dACLs only support IPs, ports, protocols, and the action. I would expect the same on the switches.

Downloadable ACL (cisco.com)

From ISE perspective whatever you configure in the downloadable ACL section is going to be pushed via RADIUS to the NAD and the NAD will write it locally, this is why we use exactly the same syntax on ISE.

Time range ACLs require the time range object to be defined before it could be referenced in the ACL. From ISE point of view there is no place where you can configure this as I'm aware of. What you can try to do would be to create the time range locally on the NAD and then referencing it from ISE when you create the dACL and see if that works.

The concept behind the dACLs is to apply the enforcement based on the identity connected to the network and that enforcement will last for the whole lifecycle of that session. However, if you want to apply an enforcement that will affect the whole subnet/VLAN for the traffic passing through the firewall such as the internet traffic then you can apply this enforcement on the firewall rather than the dACLs.

Re: "time-range" operator in dACL

MHM Cisco World — Thu, 03 Oct 2024 14:17:00 GMT

MHM

Re: "time-range" operator in dACL

rezaalikhani — Sat, 28 Sep 2024 08:54:05 GMT

Thanks for your reply;

@Aref Alsouqi wrote:
I don't believe dACLs on IOS would support time range but I have never tried it through ISE.

I will check it and comeback with the result...

Thanks

Re: "time-range" operator in dACL

Aref Alsouqi — Tue, 01 Oct 2024 09:43:02 GMT

Interesting, then I think you can just create the time range object on the NAD, and then referencing it on the dACL. It would really be interesting to know if it worked for you : D

Re: "time-range" operator in dACL

rezaalikhani — Sun, 06 Oct 2024 08:26:23 GMT

Configured a dACL like this:

This is the result of the applied dACL:

After applying the dACL and double checking for the state of the time-range configuration, as you can see above, there is no "time-range" limitation applied in the output of the applied dACL on the user/machine session. The "192.168.10.10" is the IP address of the testing machine and the "192.168.10.11" is the IP address of the tested one.

This is the time-range I have defined:

When the time-range was active, I loosed the ICMP connectivity to the target machine (as expected), but when it inactivated, the connectivity problem was not resolved... Based of my findings, the dACL in 2960X (at least) does not support "time-range" operator...

I use Cisco Catalyst 2960X with the lates Cisco's IOS recommendation.