Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to create a custom DACL in ISE

Hello once again,

I'm puzzled over the note that I found at

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540

Namely the one that says:

The Name and DACL Content fields require that values be entered and are marked with an asterisk (*).

How would I interpret it? What's the proper syntax to create an DACL?

I created my own one the way I would do it in ACS, i.e.

ip:inacl#1=permit udp any host 192.168.1.100 eq 53

ip:inacl#1=deny ip any 192.168.1.0 255.255.255.0

ip:inacl#2=permit ip any any

But it doesn't work when I apply it to the authorization profile

2 ACCEPTED SOLUTIONS

Accepted Solutions

How to create a custom DACL in ISE

No

0.0.0.255

Thanks

Tarik Admani *Please rate helpful posts*

How to create a custom DACL in ISE

Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

Here is the note that metions this in the release notes:

4

Wireless  LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but  support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA  and require deployment of an ISE Inline Posture Node to support posture  services. Use of Inline Posture Node requires WLC version 7.0.98 or  later. Autonomous AP deployments (no WLC) also require deployment of an  Inline Posture Node for posture support. Profiling services are  currently supported for 802.1X-authenticated WLANs only on the WLC with  CoA support. HREAP is not supported. WLCs do not currently support MAC  Authentication Bypass (MAB).

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
11 REPLIES

How to create a custom DACL in ISE

You do not have to prepend the acl, ise will do that automatically.

Permit udp any host 192.168.1.100 eq 53....is the proper format.

Tarik Admani *Please rate helpful posts*
New Member

Re: How to create a custom DACL in ISE

Thanks, Tarik,

What's this asterisc (*) is about ?

I still don't have any luck with applying this DACL. Tried to see the authentication/authorization sequence to find whether it gets applied via the authorization profile but it doesn't show me anything.

The attribute details showing under the authorization profile are as follows:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:15

Tunnel-Type=1:13

Tunnel-Medium-Type=1:6

DACL = Internet_only

And the DACL looks like this:

permit udp any host 192.168.1.100 eq 53

deny ip any 192.168.1.0 255.255.255.0

permit ip any any

Re: How to create a custom DACL in ISE

Its to let you know that the fields are mandatory.

Thanks,

Tarik admani

Tarik Admani *Please rate helpful posts*
New Member

How to create a custom DACL in ISE

Ok, what's wrong with rule then ?

How to create a custom DACL in ISE

Enter the wildcard not the mask.

Tarik Admani *Please rate helpful posts*
New Member

How to create a custom DACL in ISE

Like this:

deny ip any 192.168.1.*

or

deny ip any 192.168.1.0 *

Why can't I find any examples in Cisco docs ?

How to create a custom DACL in ISE

No

0.0.0.255

Thanks

Tarik Admani *Please rate helpful posts*
New Member

How to create a custom DACL in ISE

Still no luck with DACL. Had to use ACL configured on WLC and push the name of this ACL from ISE

How to create a custom DACL in ISE

Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

Here is the note that metions this in the release notes:

4

Wireless  LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but  support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA  and require deployment of an ISE Inline Posture Node to support posture  services. Use of Inline Posture Node requires WLC version 7.0.98 or  later. Autonomous AP deployments (no WLC) also require deployment of an  Inline Posture Node for posture support. Profiling services are  currently supported for 802.1X-authenticated WLANs only on the WLC with  CoA support. HREAP is not supported. WLCs do not currently support MAC  Authentication Bypass (MAB).

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

How to create a custom DACL in ISE

Thank you, Tarik.

Wouldn't be super impudent if I ask you about the issue I ran into on WLC in conjunction with ISE and dot1x  or I should post it in Wireless section?

Re: How to create a custom DACL in ISE

Not a problem, tell me what you are having issues with.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
6901
Views
0
Helpful
11
Replies
CreatePlease to create content