Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2812
Views
4
Helpful
8
Replies

dACL in the Host Mode of Multi-Authentication with ISE

SiJian Bao
Level 1
Level 1

‎09-03-2013 07:08 AM - edited ‎03-10-2019 08:51 PM

Hi Folks,

I'm wondering if the dACL can be applied per user in one port with the multi-authentication host mode. There are more than one users under one port with a hub, is it possible to apply each user a ACL by ISE so that they can gain different access permissions. Thanks

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎09-03-2013 07:20 AM

Yes, in Multi-Auth there is support for per-device dACLs which are not available in the Muli-Host-Mode. Just make sure that all devices share the same VLAN as these are not allowed to be different.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

SiJian Bao
Level 1
Level 1
In response to Karsten Iwen

‎09-03-2013 08:21 AM

Hi Karsten,

So it may be a solution for VDI users? I can setup the multi-auth in the port that connect the server which contains all the VDI virtual machines?

0 Helpful

Karsten Iwen
VIP
VIP
In response to SiJian Bao

‎09-03-2013 08:28 AM

I never thought about VDI for that, but I think that the limit of ACEs per switchport could be a problem if you don't have a quite big switch.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

SiJian Bao
Level 1
Level 1
In response to Karsten Iwen

‎09-03-2013 08:36 AM

The switch is 6500 and the number of VDIs is not too many( just about 2-300). I will try that way two days later and post my result here. Thanks!

0 Helpful

Patrick Meyer
Level 1
Level 1
In response to Karsten Iwen

‎11-08-2013 10:15 AM

Hi Karsten,

I guess this limitation only applies to the connected data clients, not the IP phone that can be connected. I mean that should be one of the reasons to use multi-domain/ multi-auth.

cheers,

Patrick

0 Helpful

Anas Naqvi
Level 1
Level 1

‎09-03-2013 09:36 AM

Hi,

As mentioned above with Multi-Authentication Mode,  a virtually unlimited number of endpoints may be authenticated to a single switch port. MACsec is not supported in this mode.

For VDI, the below link might be a help,

http://blogs.cisco.com/borderless/using-trustsec-to-simplify-virtual-desktop-infrastructure-vdi-deployment/

0 Helpful

SiJian Bao
Level 1
Level 1
In response to Anas Naqvi

‎09-04-2013 12:38 AM

Hi Anas,

Thanks for your reply. I have read this doc before. According to this doc, the BYOD of VDI can be achieved by the tech of Anyconnect 3.0 and SGT, but for now we don't have the nexus 1000v so that we cannot tag the data of the virtual machine. So I think I can only try the multi-auto.

blenka
Level 3
Level 3

‎09-05-2013 12:38 PM


If you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function avoids disconnecting other sessions, a situation that might occur with the Port Bounce option.

Please go through the link for the installation steps and form the page 413.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf

0 Helpful
Customers Also Viewed These Support Documents