Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5395
Views
5
Helpful
6
Replies

redirect ACL and dACL

Go to solution
williamtan
Level 1
Level 1

‎01-07-2020 06:55 PM

I have a list of remediation server which included AD, antivirus and SCCM server. There was more than 60 servers around all sites. I have added all servers IP to dACL in ISE. Do I need to add all servers IP to the redirect ACL in switch? Or I just add AD server IP?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-09-2020 01:47 PM

@Jason Kunst

I'm not sure if that's 100% accurate as the redirect exemption is required for other posture ports like tcp/udp 8905 and 8909.

When working with a customer in the past, we found we had to exempt redirection for traffic like Kerberos and LDAP to allow auth comms required for JAMF as well as specific ports used by McAfee EPO.

Maybe this is dependent on the switch hardware/software version, but I would highly recommend testing the flows in a Non-Prod environment first.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-07-2020 08:20 PM

If the client needs to communicate with remediation servers while the session is in a redirect state (e.g. during a Posture Unknown or NonCompliant state), you will need to exempt those IP addresses from redirection in the Redirect ACL. If a DACL is also being applied by the AuthZ Profile that sends the redirect, it also needs to permit the remediation traffic.

 

For future reference, this document has some of the best step-by-step details on the Posture flows - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

 

Cheers,

Greg

0 Helpful

Go to solution
williamtan
Level 1
Level 1
In response to Greg Gibbs

‎01-08-2020 10:55 PM

But I have stack switches in my environment, can I configure more than 64 line in redirect ACL?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to williamtan

‎01-08-2020 11:33 PM

I wouldn't recommend it. Switches have limited TCAM compared to routers or firewalls, so we typically do not recommend ACLs or dACLs with more than 30 ACEs max. Especially if that ACL or dACL has a potential to be applied on multiple switchports at the same time.

A better option might be to use a separate remediation VLAN and/or transit ACLs on upstream routers/firewalls to restrict access.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-09-2020 07:36 AM

@Greg Gibbs wrote:

If the client needs to communicate with remediation servers while the session is in a redirect state (e.g. during a Posture Unknown or NonCompliant state), you will need to exempt those IP addresses from redirection in the Redirect ACL. If a DACL is also being applied by the AuthZ Profile that sends the redirect, it also needs to permit the remediation traffic.

 

For future reference, this document has some of the best step-by-step details on the Posture flows - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

 

Cheers,

Greg

True remember this is for port 80 services only. if the clients are communicating other ports then the URL redirect ACL won't have any impact

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-09-2020 01:47 PM

@Jason Kunst

I'm not sure if that's 100% accurate as the redirect exemption is required for other posture ports like tcp/udp 8905 and 8909.

When working with a customer in the past, we found we had to exempt redirection for traffic like Kerberos and LDAP to allow auth comms required for JAMF as well as specific ports used by McAfee EPO.

Maybe this is dependent on the switch hardware/software version, but I would highly recommend testing the flows in a Non-Prod environment first.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-14-2020 08:23 PM

Greg is correct. some dependency on the switch platform and releases.

In general, there are two ways for the ACLs:

1) Use redirect ACL only: What needs to allowed through will be defined as deny.

2) Use redirect ACL and DACL: In this, we may only redirect on TCP 80 (and/or TCP 443), then use DACL to permit other connections. For example:

 

ip access-list extended ACL-POSTURE-REMEDIATION
 permit tcp any any eq www

 

DACL_POSTURE_REMEDIATION contains below, where 10.1.100.21 is ISE and 10.1.129.8 is a remediation server:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit tcp any host 10.1.100.21 eq 8443
permit tcp any host 10.1.100.21 eq 8905
permit udp any host 10.1.100.21 eq 8905
permit tcp any host 10.1.129.8 eq 80

 

0 Helpful
Customers Also Viewed These Support Documents