Providing different ACL for the same device depending where connected ?

NicolasDemonty · ‎02-01-2017

Hi all,

in a classical and normal ISE - NAC design is it possible to send different downloadable ACL for a same device depending of where it is connected ? I mean for example :

- Laptop X connected in vlan 100 (IP range 10.10.10.0/24) : get downloadable access-list "permit any".

- Same laptop X connected in vlan 20 (IP range 20.20.20.0/24) : get different downloadable access-list "deny all".

I know it is possible to provide dACL based on the IP range but is it also possible to base the ACL on "type of device + IP range" ?

Thanks in advance

Nic

nspasov · ‎02-01-2017

Hi Nic, this should be possible. I have done this in the past where I had to push a different dACL based on the office location and floor #. For this, I used the "Device-Location" attribute. Thus, switches were grouped based on the device location which I used for the Authorization Rules. For instance, :

If device location = SiteA-Floor-1 then dACL = ACL_1

If device location = SiteA-Floor-3 then dACL = ACL_2

I hope this helps!

Thank you for rating helpful posts!

NicolasDemonty · ‎02-01-2017

Hi Neno,

thanks for the reply. Actually this method doesn't suit me as I have to do the difference between vlan or IP net and I can have two of the vlans on the same location.

kr

Nic

nspasov · ‎02-02-2017

Before I can provide any additional suggestions you will need to outline the exact requirements :) Can you give us more details on exactly what you are trying to accomplish?

Thank you for rating helpful posts!