Solved: Using PERMIT ANY DACL on IP Phone

Josh Morris · ‎09-24-2014

Do you generally use the default ISE policy that adds the PERMIT ANY DACL to IP Phones, or do you remove the DACL?

nspasov · ‎09-25-2014

I always do the following with my deployments:

1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed

2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference

Hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎09-25-2014

I always do the following with my deployments:

1. Always return a dACL even if it is just "permit ip any any" There are bugs with IOS that do not remove the CWA ACLs or the default ACL on the port of you don't return a dACL. I also like it because I can quickly go in and restrict access if needed

2. I never use anything that is default in ISE. I crate my own authorization policies, profiles, identity store sequences, etc. That way I know that I have not touched anything that is default so I can go back later and use it for reference

Hope this helps!

Thank you for rating helpful posts!