cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
262
Views
0
Helpful
1
Replies
Beginner

Cisco ISE AuthZ profile dACL question

Hi all -  I would like verification or correction on how I have come to understand dACLs are used in ISE:

 

- dACL's are only used for the "Access-Accept" access type. 

- If a client fails authentication, it is bound by the port default port ACL on the switch. (no "deny all" or other dACL is downloaded).

 

So, a couple questions:

 

- what is the purpose of the "Access-Reject" access type for wired clients since the switch port ACL is the default?

- why is there an option to choose a dACL for the "Access-Reject" access type?

 

Thanks,

 

Chris Kaufman

1 REPLY 1
Highlighted

hi Chris,

hi Chris,

- there is such an option because it was probably easier for programmers to impelemnt it :) (less work)

- switch port ACL is in effect only when "authentication open" is on it. without it u don't allow any traffic except EAP,

important thing to remember is that this command tells the switch to ignore ACCESS-REJECT packets from the ISE, thats why MONITOR-MODE works in a first place

LOW-IMPACT mode works according to above rule as well but u limit traffic with port ACL