cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3285
Views
0
Helpful
10
Replies

ISE 2.4 and Authenticating Printers Using a DACL

RSundstrom
Beginner
Beginner

Hello,

I would like to use a DACL in my ISE deployment to more secure networked printers.

I am currently at ISE 2.4 patch 8. I have a two-node deployment which has been working well.

I am now allowing printers onto the network by adding them to a Endpoint Identity group and then allowing that group network access.

I would like to be more secure than what I am doing now. I have considered certificates but because of the number of printers (about 110) and the variety of printer manufacturers I believe this would be very difficult.

I am now considering adding a DACL to more secure the printers. I have a DACL already created for the Printers Authorization Profile but it is simply "Permit IP any any".

I have researched and I would need to allow only certain ports (515 and 9100) and maybe others.

Can someone direct me to a sample of what a Printer DACL would look like?

 

1 Accepted Solution

Accepted Solutions

Colby LeMaire
Collaborator
Collaborator

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

View solution in original post

10 Replies 10

Colby LeMaire
Collaborator
Collaborator

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

Anthony O'Reilly
Participant
Participant

Hi,

 

Did you apply at dACL for your printing solution?

As @Colby LeMaire mentioned, the DACLs can vary depending on the vendor/model of the printer as well as the features being used. You would definitely need to consult the vendor documentation and the technical team designing/deploying the printer solution to determine exactly what ports/protocols are required. You need to consider TCAM limitations on the switches that will use the DACL as having large ACLs applied to multiple ports can cause TCAM exhaustion and lead to memory issues.

Here is an example DACL we defined for one customer that is using Lexmark printers:

permit tcp any any eq 25
permit udp any any eq 53
permit udp any eq bootpc any eq bootps
permit udp any any eq 162
permit udp any eq 161 any
permit tcp any eq 161 any
permit udp any eq 9300 any range 1024 65534
permit udp any eq 9187 any range 1024 65534
permit tcp any eq 631 any
permit tcp any eq 515 any
permit tcp any eq 443 any
permit tcp any eq 80 any
permit tcp any eq 5000 5001 any
permit tcp any eq 5900 any
permit tcp any any eq 2939
permit tcp any eq 6110 any
permit udp any eq 6100 any eq 6100
permit udp any eq 5353 any
permit tcp any eq 21 any
permit tcp any eq 20 any
permit tcp any eq 9100 any
permit icmp any any echo-reply
deny ip any any

thomas
Cisco Employee
Cisco Employee

@RSundstrom  Please do share your findings with us about the various printers and ports!

Sina Dy
Beginner
Beginner

Hi Team,

I'm looking for help and explain on DACL. Currently, we're planning to improve restriction on IoT device in order to prevent any attacks as well Mac address spoofing.

Kindly, please help to explain as below.

What is the mainly purpose to have DACL?  How DACL work with IoT device?

Can we use DACL to limited IoT device in the same VLAN? How it works without network segmentation? example: in case improper network segmentation or allow VLAN. 

One more thing, what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

 

please help share if you have any documents or guideline end to end.

 

Thank you in advance.

Anthony O'Reilly
Participant
Participant

Hi @Sina Dy 

 

The main purpose of a dACL is to restrict traffic from the device to the network.

 

After your IoT device authenticates, it will go through the authorization process, get an authorization profile from the policy set it matches and in the authz profile, you can assign a dACL.

You can enable probes on ISE, from this information that is sent to ISE, profiles can be created. You can create policy sets to match against this profile and you can also select security groups on the same ruleset.

You can also set a VLAN change if matched against the ruleset. This is also completed on the Authz profile.

 

Hope this makes sense.

Hi @Anthony O'Reilly ,

 

Thank you so much. 

 

what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

 

please help share if you have any documents or guideline end to end.

Anthony O'Reilly
Participant
Participant

Hi @Sina Dy 

 

Have a look at this, it goes through all the steps. When configuring your dACL add in networks, hosts and/or ports that your IoT device can connect to:

 

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010100.html

 

This is also good, old version of ISE but the concept is the same

Authorization Policies > Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World | Cisco Press

 

Hi @Anthony O'Reilly ,

 

Thank you so much for your sharing. I will take a look. if have any other question will drop here.

 

 

Please rate if this has been helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers