Port security without CoA .. or DACL..

vyas.nilay · ‎06-06-2017

Hi,

I have a question if someone can help me out..

I have ISE to perform CoA for the switches which will push DACL on the switches.. ISE is managed by third party in shared environment.

To protect the network, I have been asked to change the switch configuration for either for the following

- control CoA to make sure what CoA can be pushed to the switches.. they only want CoA to change VLAN and use the ACL on VLAN to control the traffic on the VLAN rather then ISE to allow Dacl.

or

- Configure the switch in a way that based on the Radius reply it can perform the require action ..

I have no idea and my google got me no where to find out what can be done.

Can someone please help me out with this one?

Thanks,

Nilay.

Marvin Rhoads · ‎06-11-2017

Once you have allowed ISE to act as the Authorization server for the switch and put a given interface under port control, I don't believe you can restrict what actions (among the supported ones) that ISE may perform.

In other words, it's all or none regarding CoA.

vyas.nilay · ‎06-11-2017

Sweet.. Thanks for clarification .. that one thing..

so do I have any option on switch port configuration to replicate what CoA suppose to do..

I mean I get reply from ISE.. authentication yes or no.. and then switch port configuration to decide whether to block, allow or change the switch port in remediation VLAN to update the antivirus?

just wondering.. The logic is radius says yes or no so based on that I can do either allow or block..I can start with block and if it allows I will just move them to allow VLAN.. but I want to see what are the options here.

ta

Nilay.