Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
3
Replies

Send a DACL to switch for non-domain device?

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎01-06-2017 09:22 AM

OK, we use an unauth acl on switches and send back to use the auth ACL on proper 802.1x verification.

Now, this is annoying to maintain and change and they wanted to see about moving this to ISE. My issue is that if the PC can't be verified, it never runs through the rules. How do I send the unauth as a DACL if the PC can't be verified?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎01-06-2017 02:03 PM

Hi Dustin,

You can control the initial traffic with interface ACL's and use DACL after authentication.

If you are using services such as Guest, BYOD as part of url-redirect acl, you can open other traffic using this.

And then after a change of authorization you can send a final DACL.

So there are a couple of ways to handle this.

Thanks

Krishnan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎01-06-2017 02:03 PM

Hi Dustin,

You can control the initial traffic with interface ACL's and use DACL after authentication.

If you are using services such as Guest, BYOD as part of url-redirect acl, you can open other traffic using this.

And then after a change of authorization you can send a final DACL.

So there are a couple of ways to handle this.

Thanks

Krishnan

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to kthiruve

‎01-06-2017 02:13 PM

ok, so there is no way to get away from an interface ACL. Thought was to block traffic, system comes on and gets a limited access dacl, then if authorized would get the final dacl.

Main reason is systems when imaging are not on the domain, so fail auth at first.

Anyway, just toying around and they were asking about getting the ACL off the switch since they have to force reauth if they change it.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎01-06-2017 02:34 PM

Dustin,

You can use autosmart ports on the switch for this, so that you dont have to do it per interface. You can try out interface templates as well. These are switch related configuration. Here is a link to it fyi.

http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/12-2_55_se/configuration/guide/asp_cg.pdf

Also you can use Network access: Auth fail attribute for failed authentication in authorization polcy and limit access.

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents