Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1131
Views
0
Helpful
1
Replies

How to block RDP to endpoint with DACL from ISE

Tim Baum
Cisco Employee
Cisco Employee

‎08-18-2016 10:07 AM - edited ‎03-11-2019 12:00 AM

Is there a way to craft a DACL that blocks RDP session to an endpoint that is authenticated with ISE? Customer needs to block RDP going to certain workstations based on their login and authorization from ISE.

Thanks

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎08-19-2016 02:06 PM

Hmm, ACL's on switches with dot1x are only used for inbound traffic seen from the switch perspective, and they are also stateless, i suppose you could block by blocking traffic from the endpoint with 3389 as source port, which would be the response packet from the endpoint when someone tries to connect to it on port 3389 (RDP). On wireless you can do outbound ACL as well as inbound in the same ACL, so you can just block 3389 connection in the outbound direction. For switches the DACL is created and sent from ISE with your authorization profile, for wireless the ACL has to be created in the WLC, and only the name of it is sent from ISE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents