cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4635
Views
16
Helpful
2
Replies

ISE Pre-Auth ACL vs No Pre-Auth ACL

zsmithtek
Level 1
Level 1

A quick question about Pre-Auth ACLs.

 

I'm currently deploying ISE 2.4 for wired 802.1x/MAB.  I do NOT have 'authentication open' on the switchports.  I do have a monitor mode MAB policy to permit access on the default authZ rule for now until I get all my profile's identified and whatnot.  I will deploy TrustSec after i get the profiling process completed.

 

My question is this.  If I do NOT have a pre-auth ACL does this mean the clients have NO access or ALL access while authenticating?  I have 802.1x/MAB priority and order on the switchports.  Is the Pre-Auth ACL a must-have?  What are use-cases to have/not have one and the access results of the clients because of the ACL existing/not-existing.

 

Thanks for your help.

2 Replies 2

Without "authentication open" you are running "closed mode" and the switchport will only allow EAP packets and no user-packets. You need the ACL if you want to operate your switchports in "low-impact-mode" which is quite likely that you want it. But you would not start with it from the beginning. You typically begin with monitor-mode ("authentication open", no Pre-Auth-ACL and the ISE does not send any ACL to the switch) and move later to low-impact-mode ("authentication open", Pre-Auth-ACL and the ISE replaces the ACL with the right one depending on the device/user).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: