Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

Dynamic ACL used by NAC solution seems to work inverted

dvangyzeghem
Level 1
Level 1

‎06-28-2019 02:06 AM

The ACL below is configured on a cisco switch but not attached to anything on the Cisco switch.

The NAC will use this ACL as a dynamic ACL to secure the switchports when a client connects to it.

The result in the tests is the opposite of what you would expect.

The deny lines will be permitted and permit any any will block all the rest.

When you add something else with a deny statement in the list it will also be permitted.

 

Does anybody have any idea why?

 

following link describes what we had to do on the NAC solution to make the function work and there the inverted acl is used , but not explained why

https://community.arubanetworks.com/t5/Security/Cisco-URL-Redirect/td-p/202713 

 

ip access-list extended Onboard_ACL
deny udp any any eq bootpc
deny udp any any eq bootps
deny tcp any host 10.233.128.15
deny tcp any host 10.233.128.13
deny tcp any host 10.233.128.14
deny udp any any eq domain
permit ip any any 

 

 

Thank you

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-28-2019 06:12 AM

Hello dvangyzeghem,

you are using an Aruba NAC solution likely ClearPass.

The way this ACL works reverting the deny statements in permit depends on specific interaction with the NAC server.

I mean I am not sure this is a general behaviour that you could see if using a Cisco ISE as NAC server.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card