Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Who gets the dACL in ISE for this????

I have an access ports with voice ports. Which traffic gets the dACL? Is it the data the voice, or both? What if the PC is getting it's IP through the phone switch? Currenly I have dACL's for both traffic, but I started thinking and I was not sure. By the way my Cisco IP phones in 1.2 show a very high amount of repeat auth counts....like 2-3k in a few hours...WTF?

Thanks for any suggestions.

2 REPLIES
Cisco Employee

Who gets the dACL in ISE for this????

Hi

FYI,

An authentication policy consists of the following:

• Network Access Service—This service can be one of the following:

– An allowed protocols service to choose the protocols to handle the initial request and protocol

negotiation.

– A proxy service that will proxy requests to an external RADIUS server for processing.

• Identity Source—An identity source or an identity source sequence to be used for authentication.

After installation, a default identity authentication policy will be available in Cisco ISE that will be used

for authentications. Any updates to the authentication policy will override the default settings.

The following is a list of protocols that you can choose while defining your authentication policy:

• Password Authentication Protocol (PAP)

• Protected Extensible Authentication Protocol (PEAP)

• Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)

• Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

• Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)

• Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS)

By default, the identity source that Cisco ISE will look up for user information is the internal users

database.

Who gets the dACL in ISE for this????

Assuming you are authenticating the Phone and the PC independantly of each other, then you can apply a different ACL to each session should you wish.  There's a LOT of guidance around this in the SRNDs.

As for excessive phone re-authentications, could be dodgy switch software, dodgy phone software, bad config on your switch, or bad config on your ISE.  Need more info before we can guess an answer, but whatever, you're right to call it out as being abnormal.

218
Views
0
Helpful
2
Replies
CreatePlease to create content