Showing results for 
Search instead for 
Did you mean: 

Choose one of the topics below for Cisco DNA Center Resources to help you on your journey with Cisco DNA Center

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.


DNA Center auto provision "IPV4_PRE_AUTH_ACL" issue

Hi Guys,

I'm trying to implement 802.1x with SD-Access solution.
Currently, I'm stuck at trying to change the ACL "IPV4_PRE_AUTH_ACL" input by DNA below.

ip access-list extended IPV4_PRE_AUTH_ACL
permit udp any any eq bootpc
permit udp any any eq domain
deny ip any any

Our customer has their default_acl. When I'm trying to manually modify the IPV4_PRE_AUTH_ACL(input from DNA) then I can't do changes on the switch.

ip access-list extended default_acl
permit udp any any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
permit ip any host
permit ip any host
permit ip any host
permit ip any host
permit ip any host
permit ip any host
permit ip any host
permit tcp any any eq 2000
permit udp any any range 16384 32767
permit udp any any range 2048 65535

Any advice?

Everyone's tags (1)

Re: DNA Center auto provision "IPV4_PRE_AUTH_ACL" issue

Deleted.  Wrong account.

Rising star

Re: DNA Center auto provision "IPV4_PRE_AUTH_ACL" issue

Based on your question I assume you have the 8021x solution requirements established/deployed (PKI, GPO to configure windows native supplicant OR anyconnect client to support it, ISE policy sets to include authorization profiles, etc.).  


Utilizing 8021x in your SDA fabric should be straightforward.  Within DNAC under your fabric, host on-boarding, you can select your authentication template to be used, which in your case would be closed OR open authentication template.  From there you can manually provision your host ports with device type user, and either static policy (SGT, ip pool) OR just provision the authentication method and not use static policy.  Not using static policy forces ISE to come into play to authenticate, authorize, and deploy network policy to your nodes.  DNAC should automatically provision your edge node ports accordingly and your hosts should authenticate via 8021x or mab (as long as the requirements above are in place).  


You have a couple of options.  You can utilize Trustsec SGTs to control connectivity to your 10 dot IPs (either SDA SGT to SGT, or static ip-to-sgt mappings via SXP if the 10 dots sit outside of your fabric), or you could use the template editor to configure things such as new ACLs, modification to ACLs, STIGs to harden devices, etc. and deploy/provision a fabric device in your underlay with the created template.  Hope this helps!

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards