Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
1
Replies

Cisco ISE AuthZ profile dACL question

cjkaufman@dmgov.org
Level 1
Level 1

‎07-22-2015 09:24 AM - edited ‎03-10-2019 10:55 PM

Hi all -  I would like verification or correction on how I have come to understand dACLs are used in ISE:

 

- dACL's are only used for the "Access-Accept" access type. 

- If a client fails authentication, it is bound by the port default port ACL on the switch. (no "deny all" or other dACL is downloaded).

 

So, a couple questions:

 

- what is the purpose of the "Access-Reject" access type for wired clients since the switch port ACL is the default?

- why is there an option to choose a dACL for the "Access-Reject" access type?

 

Thanks,

 

Chris Kaufman

Labels:
0 Helpful
1 Reply 1

Przemyslaw Konitz
Level 1
Level 1

‎11-01-2015 12:33 AM

hi Chris,

- there is such an option because it was probably easier for programmers to impelemnt it :) (less work)

- switch port ACL is in effect only when "authentication open" is on it. without it u don't allow any traffic except EAP,

important thing to remember is that this command tells the switch to ignore ACCESS-REJECT packets from the ISE, thats why MONITOR-MODE works in a first place

LOW-IMPACT mode works according to above rule as well but u limit traffic with port ACL

0 Helpful
Customers Also Viewed These Support Documents