Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6717
Views
80
Helpful
6
Replies

How to apply ACLs to a device using Cisco ISE

blackbird_bb
Level 1
Level 1

‎03-10-2022 12:03 AM - edited ‎03-10-2022 12:05 AM

Hi there,

We have a set of policies (ACL) to be applied on inbound and outbound traffic for a set of devices (known by IP / MAC addresses) in a network.

 

  1. Is there a way to impose ACLs on individual devices using Cisco ISE?
  2. If so, does Cisco ISE expose any APIs to perform this task?
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎03-10-2022 12:09 AM

@blackbird_bb Yes there are several different ways, what make/model of devices are you referring to?

You can apply Downloadable ACL (DACLs) to the access layer switches the endpoint are connected to.

You can also use TrustSec SGACL to deploy policy to the access layer or distribution layer enforcement points.

blackbird_bb
Level 1
Level 1
In response to Rob Ingram

‎03-10-2022 05:51 AM

Thanks, @Rob Ingram. As per my understanding, Downloadable ACLs can be applied to an access layer switch port inbound traffic only. In other words, dACLs allows us to create a policy for only outgoing traffic from a device. it doesn’t allow us to create an ACE to apply for incoming traffic to a device.

For example, to deny any incoming traffic coming from subnet 10.10.1.0/24 to the device, I used the following ACE 

deny udp 10.10.1.0 0.0.0.255 any eq 1024

But ISE doesn’t accept this ACE because the source must be ‘Any’ in dACL.

 

Is there any method to overcome this limitation and apply policies in both directions traffic of a device?

Rob Ingram
VIP
VIP
In response to blackbird_bb

‎03-10-2022 05:57 AM

@blackbird_bb perhaps use @MHM Cisco World suggestion, with a filter-id ACL. This is an ACL that is defined on a switch and ISE just delivers an ACL name via RADIUS, this attribute can also be used with non-cisco switches

MHM Cisco World
VIP
VIP

‎03-10-2022 02:39 AM

There are two choice

1- per user acl 

Acl is push from ise toward the sw 

2- filter-id 

Acl is found in sw and ise push it name to sw.

So yes ise can do this.

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-10-2022 05:56 AM

per-user ACL with any 
SW use ip tracking to re-arrange the ACL to add instead of any to host IP.

imanv
Level 1
Level 1

‎03-10-2022 12:42 PM - edited ‎03-11-2022 12:21 PM

Hello.

 

@blackbird_bb wrote:
  1. Is there a way to impose ACLs on individual devices using Cisco ISE?

Yes. There is two way to impose ACLs. The ACLs can be stored on ISE known as dACL or the ACLs stored on your switches (Authenticator in 802.1x architecture) You should create the ACLs here.

1.jpg
 

 

 

 

 

 

 

 

 

 

 

Then you bind it to a Authentication Profile and call this profile when creating the polices.

2.jpg

 

 

 

 

 

 

 

 

 

As you can see, if you want to use dACL, the set your dACL name here. If you prefer ACLs stored on switch, then just put the ACL name at ACL filed. Note that this filed is case sensitive.

3.JPG

 

 

 

 

Customers Also Viewed These Support Documents