Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3304
Views
6
Helpful
6
Replies

DACL for Printers

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎05-27-2021 01:18 AM - edited ‎05-27-2021 01:36 AM

Hi Experts,

Currently, we've an Authorization profile configured for the printers (canon) with the DACL being used is 'permit ip any any'. Now, client would like to restrict just to the basic services as given below:-

permit udp any eq bootpc any eq bootps
permit tcp any any eq 25
permit udp any any eq 53
permit tcp any eq 9100 any
deny ip any any

 

1. If any extra port needs to be allowed for a device in a network discover the printer ? 

2. The above ACL is applied from the source-port perspective (oubound from device). For the return traffic, should it be allowed explicitly?

3.Also, client would like to apply an ACL from RFC1918 address TO this Printer on 'any' services. How can this be done (in addition to DACL)?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Go to solution
julian.bendix
Level 3
Level 3

‎05-27-2021 01:47 AM

Hey!

1) If another port needs to be allowed.. you will find out once something doesn't work and then you need to add it to the dACL. If you don't know what exactly the printer does, you'll need to capture the traffic (SPAN Port on Switch) or ask the vendor.

2) You don't need to allow the return traffic, the dACL is only applied inbound on the switchport.

3) You can't realize that with the dACL, you should do that somewhere else in the network (Firewall?).

Let me know if that helps.

BR
Juls

View solution in original post

0 Helpful
6 Replies 6

Go to solution
julian.bendix
Level 3
Level 3

‎05-27-2021 01:47 AM

Hey!

1) If another port needs to be allowed.. you will find out once something doesn't work and then you need to add it to the dACL. If you don't know what exactly the printer does, you'll need to capture the traffic (SPAN Port on Switch) or ask the vendor.

2) You don't need to allow the return traffic, the dACL is only applied inbound on the switchport.

3) You can't realize that with the dACL, you should do that somewhere else in the network (Firewall?).

Let me know if that helps.

BR
Juls

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to julian.bendix

‎05-27-2021 01:59 AM - edited ‎05-27-2021 02:02 AM

Hi Julian

Thanks for the reply.

2. Yeah, DACL is inbound to the switch port. Does the return traffic from the destination need to be explicitly allowed or permitted automatically ?

3. Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy.  Any idea?

0 Helpful

Go to solution
julian.bendix
Level 3
Level 3
In response to Srinivasan Nagarajan

‎05-27-2021 02:14 AM

Hey,

2) Yes the return traffic will work, since there is no filter for that direction at all (if you don't add one specifically somewhere else).

3) Unfortunately I don't know .. In all setups I work with we solved this on another level (Firewall etc.).

BR
Juls

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to julian.bendix

‎05-27-2021 02:18 AM

Thanks for the reply and your time. I'll leave it open to other folks to check and assist us for the below:-

Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy.  Any idea?

0 Helpful

Go to solution
john david333
Level 1
Level 1

‎10-29-2022 03:05 AM - edited ‎10-31-2022 11:34 AM

Thank You for your question I got my issue solved too was having the same issue that annoyed me the most. As I was getting the issue with my Epson Sublimation Printer here instead of the canon.

Go to solution
wemav21770
Level 1
Level 1

‎12-11-2023 10:24 AM - edited ‎12-11-2023 10:27 AM

DACL (Discretionary Access Control List) for printers manages who can access and perform actions (like printing or managing settings) and lists user/group permissions for the printer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents