08-23-2012 05:13 PM - edited 03-10-2019 07:27 PM
Hello once again,
I'm puzzled over the note that I found at
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540
Namely the one that says:
The Name and DACL Content fields require that values be entered and are marked with an asterisk (*).
How would I interpret it? What's the proper syntax to create an DACL?
I created my own one the way I would do it in ACS, i.e.
ip:inacl#1=permit udp any host 192.168.1.100 eq 53
ip:inacl#1=deny ip any 192.168.1.0 255.255.255.0
ip:inacl#2=permit ip any any
But it doesn't work when I apply it to the authorization profile
Solved! Go to Solution.
08-23-2012 06:20 PM
08-24-2012 08:40 AM
Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Here is the note that metions this in the release notes:
Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).
thanks,
Tarik Admani
*Please rate helpful posts*
08-23-2012 05:42 PM
You do not have to prepend the acl, ise will do that automatically.
Permit udp any host 192.168.1.100 eq 53....is the proper format.
08-23-2012 05:54 PM
Thanks, Tarik,
What's this asterisc (*) is about ?
I still don't have any luck with applying this DACL. Tried to see the authentication/authorization sequence to find whether it gets applied via the authorization profile but it doesn't show me anything.
The attribute details showing under the authorization profile are as follows:
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:15
Tunnel-Type=1:13
Tunnel-Medium-Type=1:6
DACL = Internet_only
And the DACL looks like this:
permit udp any host 192.168.1.100 eq 53
deny ip any 192.168.1.0 255.255.255.0
permit ip any any
08-23-2012 05:59 PM
Its to let you know that the fields are mandatory.
Thanks,
Tarik admani
08-23-2012 06:00 PM
Ok, what's wrong with rule then ?
08-23-2012 06:08 PM
Enter the wildcard not the mask.
08-23-2012 06:11 PM
Like this:
deny ip any 192.168.1.*
or
deny ip any 192.168.1.0 *
Why can't I find any examples in Cisco docs ?
08-23-2012 06:20 PM
No
0.0.0.255
Thanks
08-24-2012 08:37 AM
Still no luck with DACL. Had to use ACL configured on WLC and push the name of this ACL from ISE
08-24-2012 08:40 AM
Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Here is the note that metions this in the release notes:
Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).
thanks,
Tarik Admani
*Please rate helpful posts*
08-24-2012 08:47 AM
Thank you, Tarik.
Wouldn't be super impudent if I ask you about the issue I ran into on WLC in conjunction with ISE and dot1x or I should post it in Wireless section?
08-25-2012 11:59 PM
Not a problem, tell me what you are having issues with.
Tarik Admani
*Please rate helpful posts*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: