10-03-2024 06:14 AM
I've been introducing Dot1x and dACL's into my environment previously I used to have ASA's and only a portion of the devices behind it. I feel like I missed a step or some grand understanding somewhere and that the standard acl is going backwards compared to having extended ACL's
I'm wondering at how adaptive this can be. I have many different types of devices in the environment - so for example one department might have 10 instruments service different purposes with similar but different levels of access required.
Also I have some servers that are in clusters and I don't get notified of IP changes or additions and this may create some intermittent issues. (Think a cluster of domain controllers across multiple sites)
On our ASA I would give access to AD such as any- mydomain.mycompany.com eq port group - this works great
on a DACL it seems like I would have to do "permit tcp any any eq 123" or "permit tcp any ip-or-subnet-1 eq 124" and "permit tcp any ip-or-subnet2 eq 125". I'm okay with this but is there a better way to do it - unfortunately "permit tcp any host mydomain.mycompany.com eq 123" fails the syntax check
I'm hoping to get to testing it later - but can I use the authorization profiles to apply more than one dACL to a wired/wireless device? In all the example and guides I've read it appears that I cannot do this.
For example, i would use dACL's to say "This device gets AD" "This device gets printer access" "This device gets shared drives access" etc.. then device 1A will get "AD" "Shared drive" dACLs and device 2B will get "AD" "Printers" dACL's
This also makes no sense in my brain because I don't see ISE combining the lists and then sending it to the switch. But at this rate I might end up having 1000's of dACL's -
10-03-2024 06:42 AM
Asa not support dot1x, how you config asa can I see it
MHM
10-03-2024 07:08 AM
So, I only meant to bring up the ASA because I can was using extended ACL's (fqdns and object groups with the help of DNS) what I was hoping to learn is how to cope with moving to dACL's without the those.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide