04-26-2023 05:52 AM
Hello
we are implementing ISE and we authenticate users through MS AD and phones through MAB. We want to enforce authorization by DACL at the access switch.
My question is: since the DACL is applied at the physical port, it will affect both voice and data traffic. Since in my ISE policy set I have one authZ rule for users and another for phones, would it be possible to apply different DACL's (one for phone and another for computer) at that switchport?
Thank you
Marcos
Solved! Go to Solution.
04-26-2023 07:28 AM
Hi Marcos,
The dACL is applied per session basis. When you connect both the PC and phone, you will see 2 authentication sessions on the switchport when you run the command "show auth session detail interface <>". So you can push different dACL for phone and PC.
HTH
04-27-2023 08:30 AM
@poongarg is correct.
Please see the ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations including these specific sections that talk about user and phone authorization.
04-26-2023 07:28 AM
Hi Marcos,
The dACL is applied per session basis. When you connect both the PC and phone, you will see 2 authentication sessions on the switchport when you run the command "show auth session detail interface <>". So you can push different dACL for phone and PC.
HTH
04-27-2023 08:30 AM
@poongarg is correct.
Please see the ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations including these specific sections that talk about user and phone authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide