Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
2
Replies

Who gets the dACL in ISE for this????

Admin Eastland
Level 1
Level 1

‎09-15-2013 12:56 PM - edited ‎03-10-2019 08:54 PM

I have an access ports with voice ports. Which traffic gets the dACL? Is it the data the voice, or both? What if the PC is getting it's IP through the phone switch? Currenly I have dACL's for both traffic, but I started thinking and I was not sure. By the way my Cisco IP phones in 1.2 show a very high amount of repeat auth counts....like 2-3k in a few hours...WTF?

Thanks for any suggestions.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Muhammad Munir
Level 5
Level 5

‎09-15-2013 10:11 PM

Hi

FYI,

An authentication policy consists of the following:

• Network Access Service—This service can be one of the following:

– An allowed protocols service to choose the protocols to handle the initial request and protocol

negotiation.

– A proxy service that will proxy requests to an external RADIUS server for processing.

• Identity Source—An identity source or an identity source sequence to be used for authentication.

After installation, a default identity authentication policy will be available in Cisco ISE that will be used

for authentications. Any updates to the authentication policy will override the default settings.

The following is a list of protocols that you can choose while defining your authentication policy:

• Password Authentication Protocol (PAP)

• Protected Extensible Authentication Protocol (PEAP)

• Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)

• Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

• Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)

• Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS)

By default, the identity source that Cisco ISE will look up for user information is the internal users

database.

0 Helpful

Richard Atkin
Level 4
Level 4

‎09-16-2013 02:08 AM

Assuming you are authenticating the Phone and the PC independantly of each other, then you can apply a different ACL to each session should you wish.  There's a LOT of guidance around this in the SRNDs.

As for excessive phone re-authentications, could be dodgy switch software, dodgy phone software, bad config on your switch, or bad config on your ISE.  Need more info before we can guess an answer, but whatever, you're right to call it out as being abnormal.

0 Helpful
Customers Also Viewed These Support Documents