Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
5
Helpful
1
Replies

ISE NSP ACL when deploying BYOD

Go to solution
xili5
Cisco Employee
Cisco Employee

‎12-22-2016 01:16 AM - edited ‎03-11-2019 12:18 AM

Dears,

I plan to deploy BYOD for mobile devices access control by ISE 2.1. ACL of Native Supplicant Provisioning in authorization profile confused me more. As my understanding, it should be redirect ACL and as the same function of Centralized Web Auth which is used for guest portal URL redirection. Permit statement represents traffic should be redirected to ISE and deny statement represents traffic should be allowed to further process. 

But when I read configuration guide and user cases, it should NOT be as my understanding. It seems that the logic of ACL is the common usage that permit statement means "allow" and deny means "block". But I can't find any document to detail it and valid my understanding.

So is there anyone who has experience on it and specify how to define ACL which is used for NSP authorization profile.

br,

Martin

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-23-2016 11:23 AM

Hi Martin-

Yes, it is a bit confusing. To make it even more confusing the behavior changes between platforms. For instance, in switches, the "deny" statement instructs the switch to "deny" traffic from being redirected. This is why you need the deny statements for ISE, DNS, DHCP. On the flip side, the "permit" statements instructs the switch to "permit" traffic for redirection. This is why you typically see "permit ip any any" at the bottom of the redirection ACL configured on a switch.

In the WLCs, things are the exact opposite. The "deny" statements will redirect the traffic while the "permit" statements will not. :) As a result, in the WLCs you typically see "permit" statements for ISE, DNS, DHCP followed by a "deny ip any any" at the bottom of the ACL. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-23-2016 11:23 AM

Hi Martin-

Yes, it is a bit confusing. To make it even more confusing the behavior changes between platforms. For instance, in switches, the "deny" statement instructs the switch to "deny" traffic from being redirected. This is why you need the deny statements for ISE, DNS, DHCP. On the flip side, the "permit" statements instructs the switch to "permit" traffic for redirection. This is why you typically see "permit ip any any" at the bottom of the redirection ACL configured on a switch.

In the WLCs, things are the exact opposite. The "deny" statements will redirect the traffic while the "permit" statements will not. :) As a result, in the WLCs you typically see "permit" statements for ISE, DNS, DHCP followed by a "deny ip any any" at the bottom of the ACL. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Customers Also Viewed These Support Documents