Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dACL in the Host Mode of Multi-Authentication with ISE

Hi Folks,

I'm wondering if the dACL can be applied per user in one port with the multi-authentication host mode. There are more than one users under one port with a hub, is it possible to apply each user a ACL by ISE so that they can gain different access permissions. Thanks

8 REPLIES
VIP Purple

dACL in the Host Mode of Multi-Authentication with ISE

Yes, in Multi-Auth there is support for per-device dACLs which are not available in the Muli-Host-Mode. Just make sure that all devices share the same VLAN as these are not allowed to be different.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

dACL in the Host Mode of Multi-Authentication with ISE

Hi Karsten,

So it may be a solution for VDI users? I can setup the multi-auth in the port that connect the server which contains all the VDI virtual machines?

VIP Purple

dACL in the Host Mode of Multi-Authentication with ISE

I never thought about VDI for that, but I think that the limit of ACEs per switchport could be a problem if you don't have a quite big switch.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

dACL in the Host Mode of Multi-Authentication with ISE

The switch is 6500 and the number of VDIs is not too many( just about 2-300). I will try that way two days later and post my result here. Thanks!

New Member

dACL in the Host Mode of Multi-Authentication with ISE

Hi Karsten,

I guess this limitation only applies to the connected data clients, not the IP phone that can be connected. I mean that should be one of the reasons to use multi-domain/ multi-auth.

cheers,

Patrick

New Member

dACL in the Host Mode of Multi-Authentication with ISE

Hi,

As mentioned above with Multi-Authentication Mode,  a virtually unlimited number of endpoints may be authenticated to a single switch port. MACsec is not supported in this mode.

For VDI, the below link might be a help,

http://blogs.cisco.com/borderless/using-trustsec-to-simplify-virtual-desktop-infrastructure-vdi-deployment/

New Member

dACL in the Host Mode of Multi-Authentication with ISE

Hi Anas,

Thanks for your reply. I have read this doc before. According to this doc, the BYOD of VDI can be achieved by the tech of Anyconnect 3.0 and SGT, but for now we don't have the nexus 1000v so that we cannot tag the data of the virtual machine. So I think I can only try the multi-auto.

New Member

dACL in the Host Mode of Multi-Authentication with ISE


If you have multiple active sessions on a single port, the profiling service issues a CoA with the Reauth option even though you have configured CoA with the Port Bounce option. This function avoids disconnecting other sessions, a situation that might occur with the Port Bounce option.

Please go through the link for the installation steps and form the page 413.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf

1158
Views
4
Helpful
8
Replies