cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
0
Helpful
2
Replies

DNA Center auto provision "IPV4_PRE_AUTH_ACL" issue

Australian
Level 1
Level 1

Hi Guys,

I'm trying to implement 802.1x with SD-Access solution.
Currently, I'm stuck at trying to change the ACL "IPV4_PRE_AUTH_ACL" input by DNA below.

ip access-list extended IPV4_PRE_AUTH_ACL
permit udp any any eq bootpc
permit udp any any eq domain
deny ip any any

Our customer has their default_acl. When I'm trying to manually modify the IPV4_PRE_AUTH_ACL(input from DNA) then I can't do changes on the switch.

ip access-list extended default_acl
permit udp any any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
permit ip any host 10.68.128.97
permit ip any host 10.68.167.11
permit ip any host 10.68.128.201
permit ip any host 10.68.130.182
permit ip any host 10.54.17.103
permit ip any host 10.64.129.21
permit ip any host 10.213.1.12
permit tcp any any eq 2000
permit udp any any range 16384 32767
permit udp any any range 2048 65535



Any advice?

2 Replies 2

michael.cifelli
Level 1
Level 1

Deleted.  Wrong account.

Mike.Cifelli
VIP Alumni
VIP Alumni

Based on your question I assume you have the 8021x solution requirements established/deployed (PKI, GPO to configure windows native supplicant OR anyconnect client to support it, ISE policy sets to include authorization profiles, etc.).  

 

Utilizing 8021x in your SDA fabric should be straightforward.  Within DNAC under your fabric, host on-boarding, you can select your authentication template to be used, which in your case would be closed OR open authentication template.  From there you can manually provision your host ports with device type user, and either static policy (SGT, ip pool) OR just provision the authentication method and not use static policy.  Not using static policy forces ISE to come into play to authenticate, authorize, and deploy network policy to your nodes.  DNAC should automatically provision your edge node ports accordingly and your hosts should authenticate via 8021x or mab (as long as the requirements above are in place).  

 

You have a couple of options.  You can utilize Trustsec SGTs to control connectivity to your 10 dot IPs (either SDA SGT to SGT, or static ip-to-sgt mappings via SXP if the 10 dots sit outside of your fabric), or you could use the template editor to configure things such as new ACLs, modification to ACLs, STIGs to harden devices, etc. and deploy/provision a fabric device in your underlay with the created template.  Hope this helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco