09-24-2014 08:34 AM - edited 03-10-2019 10:03 PM
Do you generally use the default ISE policy that adds the PERMIT ANY DACL to IP Phones, or do you remove the DACL?
Solved! Go to Solution.
09-25-2014 01:49 PM
I always do the following with my deployments:
1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed
2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference
Hope this helps!
Thank you for rating helpful posts!
09-25-2014 01:49 PM
I always do the following with my deployments:
1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed
2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference
Hope this helps!
Thank you for rating helpful posts!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: