11-22-2019 07:00 AM
A quick question about Pre-Auth ACLs.
I'm currently deploying ISE 2.4 for wired 802.1x/MAB. I do NOT have 'authentication open' on the switchports. I do have a monitor mode MAB policy to permit access on the default authZ rule for now until I get all my profile's identified and whatnot. I will deploy TrustSec after i get the profiling process completed.
My question is this. If I do NOT have a pre-auth ACL does this mean the clients have NO access or ALL access while authenticating? I have 802.1x/MAB priority and order on the switchports. Is the Pre-Auth ACL a must-have? What are use-cases to have/not have one and the access results of the clients because of the ACL existing/not-existing.
Thanks for your help.
11-24-2019 03:30 AM
Without "authentication open" you are running "closed mode" and the switchport will only allow EAP packets and no user-packets. You need the ACL if you want to operate your switchports in "low-impact-mode" which is quite likely that you want it. But you would not start with it from the beginning. You typically begin with monitor-mode ("authentication open", no Pre-Auth-ACL and the ISE does not send any ACL to the switch) and move later to low-impact-mode ("authentication open", Pre-Auth-ACL and the ISE replaces the ACL with the right one depending on the device/user).
11-25-2019 07:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: