cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

560
Views
6
Helpful
3
Replies
paul
Advocate

Assign an ACL (not DACL) to Wired Session

I can assign an ACL that exists on an ASA to a VPN user or an ACL that exists on a WLC to a wireless user, but is there a way to assign an ACL defined on a switch to a wired authentication?  I don't think there is.

The use case is for a large world-wide customer that has class of devices that need access to the local LAN subnets at the site they sit.  We thought of having an ACL named the same on every switch like "Local_Access_Only" that would restrict access to the local subnets, but I don't think I have a way to apply that to the authentication.

If we tried going this with a DACL we would need a unique DACL and every result for each on of their locations. 

I could do something odd like assign a redirect ACL that essentially would deny (i.e. not redirect) traffic to the local subnets and permit (i.e. redirect) to anything else.  Those devices would be permanently sitting in a web auth redirect state, but functionally it should work.

Let me know if an ACL could be applied or if there is another method I am missing (don't say TrustSec).

1 ACCEPTED SOLUTION

Accepted Solutions

Grr found the issue.  My ACL on the switch didn't have "any" in the source field of one of the lines.  Once I turned on "debug epm all" I saw the issue.   The Filter-ID works perfectly.

View solution in original post

3 REPLIES 3
hslai
Cisco Employee

Hmm, I tried the filter ID, but I got authorization failed after applying that to the result. I will do more testing.

Thanks.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Grr found the issue.  My ACL on the switch didn't have "any" in the source field of one of the lines.  Once I turned on "debug epm all" I saw the issue.   The Filter-ID works perfectly.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube