Cisco Support Community
Community Member

dACL with static IP configuration

I want to restrict client communication based on dACLs for some Endpoint-Groups with MAB. Most of the clients are configured with DHCP, for these clients everything working fine. But there are also clients with static IP configuration and here is the problem. ISE does not know the ip address of the static configured client, so the 'source any' statement of the dACL can not be replaced with the client IP.
How is it possible to let ISE learn the static addresses and get this working?
ISE is on v1.2, IOS on switch is on 15.02.SE1
Thanks, Florian


dACL with static IP configuration

Inline Posture uses RADIUS proxy and URL  redirect capabilities in the control plane to manage data plane traffic  for endpoints. As a RADIUS proxy, Inline Posture is able to tap into  RADIUS sessions between network access devices (NADs) and RADIUS  servers. NADs can open full gate to client traffic. However, Inline  Posture opens only enough to allow limited traffic from clients. The  restricted bandwidth allows clients the ability to have an agent  provisioned, have posture assessed, and have remediation done. This  restriction is accomplished by downloading and installing DACLs that are  tailored for specific client flow.

Please check the below link which can helpful in making  decision about licensing:

Community Member

dACL with static IP configuration


To start the process where you can display, create, modify, or delete policy element permissions for downloadable ACLs (DACLs), you need to locate its navigation pane in the Cisco ISE user interface. To do this, choose Policy > Policy Elements > Results > Authorization to display the Authorization navigation pane.

The Authorization navigation pane initially displays:

•Authorization Profiles

•Downloadable ACLs

•Inline Posture Node Profiles

For more information please go through this link:


dACL with static IP configuration

Fixed IP shouldn't be an issue as the switch detects client IP by looking into the packets. Assuming you applied the

ip device-tracking

command. You can check the client IP address by

show authen session int Fa0/x

Community Member

dACL with static IP configuration

I am not very much sure but can you try this and check (instead of any any just giving your network address)

Define Local (Default) ACLs on the Switch

Enable these functions on older switches (with IOS releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization.

ip access-list extended ACL-ALLOW
 permit ip any any
ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Allow HTTP/S to ISE and WebAuth portal
  permit tcp any host <Cisco_ISE_IP_address> eq www
  permit tcp any host <Cisco_ISE_IP_address> eq 443
  permit tcp any host <Cisco_ISE_IP_address> eq 8443
  remark Drop all the rest
  deny   ip any any log
! The ACL to allow URL-redirection for WebAuth
ip access-list extended ACL-WEBAUTH-REDIRECT
 deny   ip any host <Cisco_ISE_IP_address>
 permit ip any any
CreatePlease to create content