cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

438
Views
0
Helpful
1
Replies
Bransomar
Beginner

Cisco ISE AuthZ profile dACL question

Hi all -  I would like verification or correction on how I have come to understand dACLs are used in ISE:

 

- dACL's are only used for the "Access-Accept" access type. 

- If a client fails authentication, it is bound by the port default port ACL on the switch. (no "deny all" or other dACL is downloaded).

 

So, a couple questions:

 

- what is the purpose of the "Access-Reject" access type for wired clients since the switch port ACL is the default?

- why is there an option to choose a dACL for the "Access-Reject" access type?

 

Thanks,

 

Chris Kaufman

1 REPLY 1

hi Chris,

- there is such an option because it was probably easier for programmers to impelemnt it :) (less work)

- switch port ACL is in effect only when "authentication open" is on it. without it u don't allow any traffic except EAP,

important thing to remember is that this command tells the switch to ignore ACCESS-REJECT packets from the ISE, thats why MONITOR-MODE works in a first place

LOW-IMPACT mode works according to above rule as well but u limit traffic with port ACL

Content for Community-Ad