Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
3
Replies

Providing different ACL for the same device depending where connected ?

NicolasDemonty
Level 1
Level 1

‎02-01-2017 02:13 AM - edited ‎03-11-2019 12:25 AM

Hi all,

in a classical and normal ISE - NAC design is it possible to send different downloadable ACL for a same device depending of where it is connected ? I mean for example :

- Laptop X connected in vlan 100 (IP range 10.10.10.0/24) : get downloadable access-list "permit any".

- Same laptop X connected in vlan 20 (IP range 20.20.20.0/24) : get different downloadable access-list "deny all".

I know it is possible to provide dACL based on the IP range but is it also possible to base the ACL on "type of device + IP range" ?

Thanks in advance

Nic

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎02-01-2017 11:11 AM

Hi Nic, this should be possible. I have done this in the past where I had to push a different dACL based on the office location and floor #. For this, I used the "Device-Location" attribute. Thus, switches were grouped based on the device location which I used for the Authorization Rules. For instance, :

If device location = SiteA-Floor-1 then dACL = ACL_1

If device location = SiteA-Floor-3 then dACL = ACL_2

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

NicolasDemonty
Level 1
Level 1
In response to nspasov

‎02-01-2017 11:16 PM

Hi Neno,

thanks for the reply. Actually this method doesn't suit me as I have to do the difference between vlan or IP net and I can have two of the vlans on the same location.

kr

Nic

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to NicolasDemonty

‎02-02-2017 10:20 AM

Before I can provide any additional suggestions you will need to outline the exact requirements :) Can you give us more details on exactly what you are trying to accomplish?

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents