Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
10
Helpful
6
Replies

Cisco ISE Version 3.0 posture provisioning

Go to solution
bunleang
Level 1
Level 1

‎02-04-2022 12:31 AM

Hi all ISE experts,

 

Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance 

- non-compliance devices blocked access to the internal system

- non-compliance internet must be accessible 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to bunleang

‎02-15-2022 09:32 AM

Personally I would apply the following rules on the non-compliant DACL, you can narrow them down if you want:

permit udp any eq bootpc any eq bootps

permit udp any any eq 53

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

Keep in mind please that if you want to apply the above DACL to an old WLC, then you need to create the ACL on the WLC, and from ISE authorization profile instead of enabling the check on the "DACL Name" and select the DACL, you would need to enable the "Airespace ACL Name" and provide the name of the ACL you created on the WLC.

View solution in original post

6 Replies 6

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎02-04-2022 02:51 AM

Hi @bunleang,

This sounds like a standard scenario for posture assessment.

Please check ISE Posture Prescriptive Guide to understand concepts and to see how to implement it.

BR,

Milos

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-04-2022 04:20 AM

Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance 

-You will need a separate authz profile, which contains your desired dacl, that you will use in your radius authorization policy for noncompliant clients.  Your conditions in the authz policy will contain Session:Posture Status EQUALS NonCompliant.  Then for the result profile assign the authz profile for noncompliant use cases that contains your respective dacl.

 

Authz/dacl can be created here: Policy->Policy Elements->Results->Authorization

Go to solution
bunleang
Level 1
Level 1
In response to Mike.Cifelli

‎02-15-2022 07:46 AM

Could you share me sample guide with auth dacl access-list rule? 

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to bunleang

‎02-15-2022 09:32 AM

Personally I would apply the following rules on the non-compliant DACL, you can narrow them down if you want:

permit udp any eq bootpc any eq bootps

permit udp any any eq 53

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

Keep in mind please that if you want to apply the above DACL to an old WLC, then you need to create the ACL on the WLC, and from ISE authorization profile instead of enabling the check on the "DACL Name" and select the DACL, you would need to enable the "Airespace ACL Name" and provide the name of the ACL you created on the WLC.

Go to solution
bunleang
Level 1
Level 1
In response to Aref Alsouqi

‎02-15-2022 06:11 PM

Look great let me narrow it down and try with this rule, then I will let you know the result. Thank

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-15-2022 08:01 AM

I would recommend looking at the guide @Milos_Jovanovic shared and this one: https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

 

0 Helpful
Customers Also Viewed These Support Documents