Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE 2.4 and Authenticating Printers Using a DACL


I would like to use a DACL in my ISE deployment to more secure networked printers.

I am currently at ISE 2.4 patch 8. I have a two-node deployment which has been working well.

I am now allowing printers onto the network by adding them to a Endpoint Identity group and then allowing that group network access.

I would like to be more secure than what I am doing now. I have considered certificates but because of the number of printers (about 110) and the variety of printer manufacturers I believe this would be very difficult.

I am now considering adding a DACL to more secure the printers. I have a DACL already created for the Printers Authorization Profile but it is simply "Permit IP any any".

I have researched and I would need to allow only certain ports (515 and 9100) and maybe others.

Can someone direct me to a sample of what a Printer DACL would look like?


Rising star

Re: ISE 2.4 and Authenticating Printers Using a DACL

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.