cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

796
Views
0
Helpful
4
Replies
RSundstrom
Beginner

ISE 2.4 and Authenticating Printers Using a DACL

Hello,

I would like to use a DACL in my ISE deployment to more secure networked printers.

I am currently at ISE 2.4 patch 8. I have a two-node deployment which has been working well.

I am now allowing printers onto the network by adding them to a Endpoint Identity group and then allowing that group network access.

I would like to be more secure than what I am doing now. I have considered certificates but because of the number of printers (about 110) and the variety of printer manufacturers I believe this would be very difficult.

I am now considering adding a DACL to more secure the printers. I have a DACL already created for the Printers Authorization Profile but it is simply "Permit IP any any".

I have researched and I would need to allow only certain ports (515 and 9100) and maybe others.

Can someone direct me to a sample of what a Printer DACL would look like?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Colby LeMaire
VIP Collaborator

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

View solution in original post

4 REPLIES 4
Colby LeMaire
VIP Collaborator

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

View solution in original post

Anthony O'Reilly
Beginner

Hi,

 

Did you apply at dACL for your printing solution?

As @Colby LeMaire mentioned, the DACLs can vary depending on the vendor/model of the printer as well as the features being used. You would definitely need to consult the vendor documentation and the technical team designing/deploying the printer solution to determine exactly what ports/protocols are required. You need to consider TCAM limitations on the switches that will use the DACL as having large ACLs applied to multiple ports can cause TCAM exhaustion and lead to memory issues.

Here is an example DACL we defined for one customer that is using Lexmark printers:

permit tcp any any eq 25
permit udp any any eq 53
permit udp any eq bootpc any eq bootps
permit udp any any eq 162
permit udp any eq 161 any
permit tcp any eq 161 any
permit udp any eq 9300 any range 1024 65534
permit udp any eq 9187 any range 1024 65534
permit tcp any eq 631 any
permit tcp any eq 515 any
permit tcp any eq 443 any
permit tcp any eq 80 any
permit tcp any eq 5000 5001 any
permit tcp any eq 5900 any
permit tcp any any eq 2939
permit tcp any eq 6110 any
permit udp any eq 6100 any eq 6100
permit udp any eq 5353 any
permit tcp any eq 21 any
permit tcp any eq 20 any
permit tcp any eq 9100 any
permit icmp any any echo-reply
deny ip any any
thomas
Cisco Employee

@RSundstrom  Please do share your findings with us about the various printers and ports!

Content for Community-Ad