Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25667
Views
0
Helpful
11
Replies

How to create a custom DACL in ISE

Go to solution
zheka_pefti
Level 2
Level 2

‎08-23-2012 05:13 PM - edited ‎03-10-2019 07:27 PM

Hello once again,

I'm puzzled over the note that I found at

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540

Namely the one that says:

The Name and DACL Content fields require that values be entered and are marked with an asterisk (*).

How would I interpret it? What's the proper syntax to create an DACL?

I created my own one the way I would do it in ACS, i.e.

ip:inacl#1=permit udp any host 192.168.1.100 eq 53

ip:inacl#1=deny ip any 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip any any

But it doesn't work when I apply it to the authorization profile

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎08-23-2012 06:20 PM

No

0.0.0.255

Thanks

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to zheka_pefti

‎08-24-2012 08:40 AM

Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

Here is the note that metions this in the release notes:

4

Wireless  LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but  support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA  and require deployment of an ISE Inline Posture Node to support posture  services. Use of Inline Posture Node requires WLC version 7.0.98 or  later. Autonomous AP deployments (no WLC) also require deployment of an  Inline Posture Node for posture support. Profiling services are  currently supported for 802.1X-authenticated WLANs only on the WLC with  CoA support. HREAP is not supported. WLCs do not currently support MAC  Authentication Bypass (MAB).

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-23-2012 05:42 PM

You do not have to prepend the acl, ise will do that automatically.

Permit udp any host 192.168.1.100 eq 53....is the proper format.

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Tarik Admani

‎08-23-2012 05:54 PM

Thanks, Tarik,

What's this asterisc (*) is about ?

I still don't have any luck with applying this DACL. Tried to see the authentication/authorization sequence to find whether it gets applied via the authorization profile but it doesn't show me anything.

The attribute details showing under the authorization profile are as follows:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:15

Tunnel-Type=1:13

Tunnel-Medium-Type=1:6

DACL = Internet_only

And the DACL looks like this:

permit udp any host 192.168.1.100 eq 53

deny ip any 192.168.1.0 255.255.255.0

permit ip any any

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to zheka_pefti

‎08-23-2012 05:59 PM

Its to let you know that the fields are mandatory.

Thanks,

Tarik admani

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Tarik Admani

‎08-23-2012 06:00 PM

Ok, what's wrong with rule then ?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to zheka_pefti

‎08-23-2012 06:08 PM

Enter the wildcard not the mask.

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Tarik Admani

‎08-23-2012 06:11 PM

Like this:

deny ip any 192.168.1.*

or

deny ip any 192.168.1.0 *

Why can't I find any examples in Cisco docs ?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎08-23-2012 06:20 PM

No

0.0.0.255

Thanks

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to Tarik Admani

‎08-24-2012 08:37 AM

Still no luck with DACL. Had to use ACL configured on WLC and push the name of this ACL from ISE

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to zheka_pefti

‎08-24-2012 08:40 AM

Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

Here is the note that metions this in the release notes:

4

Wireless  LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but  support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA  and require deployment of an ISE Inline Posture Node to support posture  services. Use of Inline Posture Node requires WLC version 7.0.98 or  later. Autonomous AP deployments (no WLC) also require deployment of an  Inline Posture Node for posture support. Profiling services are  currently supported for 802.1X-authenticated WLANs only on the WLC with  CoA support. HREAP is not supported. WLCs do not currently support MAC  Authentication Bypass (MAB).

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎08-24-2012 08:47 AM

Thank you, Tarik.

Wouldn't be super impudent if I ask you about the issue I ran into on WLC in conjunction with ISE and dot1x  or I should post it in Wireless section?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to zheka_pefti

‎08-25-2012 11:59 PM

Not a problem, tell me what you are having issues with.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents