Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5054
Views
0
Helpful
10
Replies

ISE 2.4 and Authenticating Printers Using a DACL

Go to solution
RSundstrom
Level 1
Level 1

‎02-12-2020 11:12 AM - edited ‎02-12-2020 11:19 AM

Hello,

I would like to use a DACL in my ISE deployment to more secure networked printers.

I am currently at ISE 2.4 patch 8. I have a two-node deployment which has been working well.

I am now allowing printers onto the network by adding them to a Endpoint Identity group and then allowing that group network access.

I would like to be more secure than what I am doing now. I have considered certificates but because of the number of printers (about 110) and the variety of printer manufacturers I believe this would be very difficult.

I am now considering adding a DACL to more secure the printers. I have a DACL already created for the Printers Authorization Profile but it is simply "Permit IP any any".

I have researched and I would need to allow only certain ports (515 and 9100) and maybe others.

Can someone direct me to a sample of what a Printer DACL would look like?

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-12-2020 01:01 PM

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-12-2020 01:01 PM

Every environment would be different.  Different vendors use different ports, some have centralized management on their own ports, users add printers to their computers in different ways (i.e. TCP/IP printing, print server, etc.).  Try to discuss with your Service Desk or Desktop Support teams to gain a better understanding of the types of printers and how they are added to workstations.  Then you can pick a small area to test with.  Use a new authorization rule that adds a condition for a specific network device or a group of test network devices.  Test printing different ways and do some packet captures if needed.  As you get comfortable that your dACL is working, deploy it to all switches and troubleshoot one-off's as needed.

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎03-11-2021 04:35 PM

Hi,

 

Did you apply at dACL for your printing solution?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Anthony O'Reilly

‎03-14-2021 03:45 PM

As @Colby LeMaire mentioned, the DACLs can vary depending on the vendor/model of the printer as well as the features being used. You would definitely need to consult the vendor documentation and the technical team designing/deploying the printer solution to determine exactly what ports/protocols are required. You need to consider TCAM limitations on the switches that will use the DACL as having large ACLs applied to multiple ports can cause TCAM exhaustion and lead to memory issues.

Here is an example DACL we defined for one customer that is using Lexmark printers:

permit tcp any any eq 25
permit udp any any eq 53
permit udp any eq bootpc any eq bootps
permit udp any any eq 162
permit udp any eq 161 any
permit tcp any eq 161 any
permit udp any eq 9300 any range 1024 65534
permit udp any eq 9187 any range 1024 65534
permit tcp any eq 631 any
permit tcp any eq 515 any
permit tcp any eq 443 any
permit tcp any eq 80 any
permit tcp any eq 5000 5001 any
permit tcp any eq 5900 any
permit tcp any any eq 2939
permit tcp any eq 6110 any
permit udp any eq 6100 any eq 6100
permit udp any eq 5353 any
permit tcp any eq 21 any
permit tcp any eq 20 any
permit tcp any eq 9100 any
permit icmp any any echo-reply
deny ip any any
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 11:52 AM

@RSundstrom  Please do share your findings with us about the various printers and ports!

0 Helpful

Go to solution
Sina Dy
Level 1
Level 1

‎10-21-2021 04:52 AM

Hi Team,

I'm looking for help and explain on DACL. Currently, we're planning to improve restriction on IoT device in order to prevent any attacks as well Mac address spoofing.

Kindly, please help to explain as below.

What is the mainly purpose to have DACL?  How DACL work with IoT device?

Can we use DACL to limited IoT device in the same VLAN? How it works without network segmentation? example: in case improper network segmentation or allow VLAN. 

One more thing, what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

 

please help share if you have any documents or guideline end to end.

 

Thank you in advance.

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎10-21-2021 07:47 AM

Hi @Sina Dy 

 

The main purpose of a dACL is to restrict traffic from the device to the network.

 

After your IoT device authenticates, it will go through the authorization process, get an authorization profile from the policy set it matches and in the authz profile, you can assign a dACL.

You can enable probes on ISE, from this information that is sent to ISE, profiles can be created. You can create policy sets to match against this profile and you can also select security groups on the same ruleset.

You can also set a VLAN change if matched against the ruleset. This is also completed on the Authz profile.

 

Hope this makes sense.

Preview file
52 KB
0 Helpful

Go to solution
Sina Dy
Level 1
Level 1
In response to Anthony O'Reilly

‎10-21-2021 08:21 AM

Hi @Anthony O'Reilly ,

 

Thank you so much. 

 

what is the information or prerequisite that we could have and collect for configuration DACL for IoT devices?

 

please help share if you have any documents or guideline end to end.

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎10-22-2021 08:44 AM

Hi @Sina Dy 

 

Have a look at this, it goes through all the steps. When configuring your dACL add in networks, hosts and/or ports that your IoT device can connect to:

 

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010100.html

 

This is also good, old version of ISE but the concept is the same

Authorization Policies > Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World | Cisco Press

 

0 Helpful

Go to solution
sinady
Level 1
Level 1
In response to Anthony O'Reilly

‎10-23-2021 09:48 AM

Hi @Anthony O'Reilly ,

 

Thank you so much for your sharing. I will take a look. if have any other question will drop here.

 

 

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3
In response to sinady

‎11-03-2021 04:35 AM

Please rate if this has been helpful.

0 Helpful
Customers Also Viewed These Support Documents