Hi, I want to restrict client communication based on dACLs for some Endpoint-Groups with MAB. Most of the clients are configured with DHCP, for these clients everything working fine. But there are also clients with static IP configuration and here is the problem. ISE does not know the ip address of the static configured client, so the 'source any' statement of the dACL can not be replaced with the client IP. How is it possible to let ISE learn the static addresses and get this working? ISE is on v1.2, IOS on switch is on 15.02.SE1 Thanks, Florian
Inline Posture uses RADIUS proxy and URL redirect capabilities in the control plane to manage data plane traffic for endpoints. As a RADIUS proxy, Inline Posture is able to tap into RADIUS sessions between network access devices (NADs) and RADIUS servers. NADs can open full gate to client traffic. However, Inline Posture opens only enough to allow limited traffic from clients. The restricted bandwidth allows clients the ability to have an agent provisioned, have posture assessed, and have remediation done. This restriction is accomplished by downloading and installing DACLs that are tailored for specific client flow.
Please check the below link which can helpful in making decision about licensing:
To start the process where you can display, create, modify, or delete policy element permissions for downloadable ACLs (DACLs), you need to locate its navigation pane in the Cisco ISE user interface. To do this, choose Policy > Policy Elements > Results > Authorization to display the Authorization navigation pane.
The Authorization navigation pane initially displays:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...