09-26-2024 09:32 PM
Hi all;
After searching ISE admin portal, I did not find any useful contents which clarify the usage of "time-range" operator in a dACL. Although ISE actually supports this operator, how can I use it? Does it require the existence of "time-range" configuration on the NAD or ISE supports defining it somewhere?
Thanks
09-27-2024 12:40 AM
Why you want time range in dacl?
MHM
09-27-2024 02:28 AM - edited 10-03-2024 07:17 AM
MHM
09-27-2024 12:54 AM
Quasi-relevant $0.02: In a previous position, I once tried lab-testing time range ACLs on an ASA 5510 for the purpose of disabling customer Wi-Fi after hours. Back then, when paying $$ per GB, why have public Wi-Fi leaches when you're closed? I doubt that type of problem exists these days with corporate plans usually being straight priced for bandwidth on monthly connection rates / contracts.
Nowadays the case might be made to prevent illegal activity on public Wi-Fi when you're closed, as I'd think there would be people who might do such a thing in this day and age to mask their activities. Or what if you're open only 9-5, you're in an office building, and people whose offices work longer hours leach off your guest Wi-Fi network all night?
Food for thought (exercises),
David
09-27-2024 02:19 AM
I don't believe dACLs on IOS would support time range but I have never tried it through ISE. Based on the below 9800 WLC documentation dACLs only support IPs, ports, protocols, and the action. I would expect the same on the switches.
From ISE perspective whatever you configure in the downloadable ACL section is going to be pushed via RADIUS to the NAD and the NAD will write it locally, this is why we use exactly the same syntax on ISE.
Time range ACLs require the time range object to be defined before it could be referenced in the ACL. From ISE point of view there is no place where you can configure this as I'm aware of. What you can try to do would be to create the time range locally on the NAD and then referencing it from ISE when you create the dACL and see if that works.
The concept behind the dACLs is to apply the enforcement based on the identity connected to the network and that enforcement will last for the whole lifecycle of that session. However, if you want to apply an enforcement that will affect the whole subnet/VLAN for the traffic passing through the firewall such as the internet traffic then you can apply this enforcement on the firewall rather than the dACLs.
09-28-2024 01:54 AM
Thanks for your reply;
@Aref Alsouqi wrote:I don't believe dACLs on IOS would support time range but I have never tried it through ISE.
I will check it and comeback with the result...
Thanks
10-01-2024 02:43 AM
Interesting, then I think you can just create the time range object on the NAD, and then referencing it on the dACL. It would really be interesting to know if it worked for you : D
10-06-2024 01:25 AM - edited 10-06-2024 01:26 AM
Configured a dACL like this:
This is the result of the applied dACL:
After applying the dACL and double checking for the state of the time-range configuration, as you can see above, there is no "time-range" limitation applied in the output of the applied dACL on the user/machine session. The "192.168.10.10" is the IP address of the testing machine and the "192.168.10.11" is the IP address of the tested one.
This is the time-range I have defined:
When the time-range was active, I loosed the ICMP connectivity to the target machine (as expected), but when it inactivated, the connectivity problem was not resolved... Based of my findings, the dACL in 2960X (at least) does not support "time-range" operator...
I use Cisco Catalyst 2960X with the lates Cisco's IOS recommendation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide