09-24-2014 08:34 AM - edited 03-10-2019 10:03 PM
Do you generally use the default ISE policy that adds the PERMIT ANY DACL to IP Phones, or do you remove the DACL?
Solved! Go to Solution.
09-25-2014 01:49 PM
I always do the following with my deployments:
1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed
2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference
Hope this helps!
Thank you for rating helpful posts!
09-25-2014 01:49 PM
I always do the following with my deployments:
1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed
2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference
Hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide