cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
10
Helpful
6
Replies

Cisco ISE Version 3.0 posture provisioning

bunleang
Level 1
Level 1

Hi all ISE experts,

 

Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance 

- non-compliance devices blocked access to the internal system

- non-compliance internet must be accessible 

 

1 Accepted Solution

Accepted Solutions

Personally I would apply the following rules on the non-compliant DACL, you can narrow them down if you want:

permit udp any eq bootpc any eq bootps

permit udp any any eq 53

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

Keep in mind please that if you want to apply the above DACL to an old WLC, then you need to create the ACL on the WLC, and from ISE authorization profile instead of enabling the check on the "DACL Name" and select the DACL, you would need to enable the "Airespace ACL Name" and provide the name of the ACL you created on the WLC.

View solution in original post

6 Replies 6

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @bunleang,

This sounds like a standard scenario for posture assessment.

Please check ISE Posture Prescriptive Guide to understand concepts and to see how to implement it.

BR,

Milos

Mike.Cifelli
VIP Alumni
VIP Alumni

Anyone could tell me how to apply dacl profile to clients while posture scan found device non-compliance 

-You will need a separate authz profile, which contains your desired dacl, that you will use in your radius authorization policy for noncompliant clients.  Your conditions in the authz policy will contain Session:Posture Status EQUALS NonCompliant.  Then for the result profile assign the authz profile for noncompliant use cases that contains your respective dacl.

 

Authz/dacl can be created here: Policy->Policy Elements->Results->Authorization

Could you share me sample guide with auth dacl access-list rule? 

 

Personally I would apply the following rules on the non-compliant DACL, you can narrow them down if you want:

permit udp any eq bootpc any eq bootps

permit udp any any eq 53

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit tcp any any eq 80

permit tcp any any eq 443

deny ip any any

Keep in mind please that if you want to apply the above DACL to an old WLC, then you need to create the ACL on the WLC, and from ISE authorization profile instead of enabling the check on the "DACL Name" and select the DACL, you would need to enable the "Airespace ACL Name" and provide the name of the ACL you created on the WLC.

Look great let me narrow it down and try with this rule, then I will let you know the result. Thank

Mike.Cifelli
VIP Alumni
VIP Alumni
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: