Solved: Re: ISE dACL when switchport has a phone and a computer

mnkojima · ‎04-26-2023

Hello

we are implementing ISE and we authenticate users through MS AD and phones through MAB. We want to enforce authorization by DACL at the access switch.

My question is: since the DACL is applied at the physical port, it will affect both voice and data traffic. Since in my ISE policy set I have one authZ rule for users and another for phones, would it be possible to apply different DACL's (one for phone and another for computer) at that switchport?

Thank you

Marcos

poongarg · ‎04-26-2023

Hi Marcos,

The dACL is applied per session basis. When you connect both the PC and phone, you will see 2 authentication sessions on the switchport when you run the command "show auth session detail interface <>". So you can push different dACL for phone and PC.

HTH

View solution in original post

thomas · ‎04-27-2023

@poongarg is correct.

Please see the ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations including these specific sections that talk about user and phone authorization.

View solution in original post

poongarg · ‎04-26-2023

Hi Marcos,

The dACL is applied per session basis. When you connect both the PC and phone, you will see 2 authentication sessions on the switchport when you run the command "show auth session detail interface <>". So you can push different dACL for phone and PC.

HTH

thomas · ‎04-27-2023

@poongarg is correct.

Please see the ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations including these specific sections that talk about user and phone authorization.