ISE 1.2: Airspace ACL vs DACL

Similar Messages

• I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

  Understanding  ISE and dACL.
   I don't understand correlation between ACL and dACL.
   If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
   Regards,
  Vice

  Hi,
  Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
  Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
  When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

• ISE 1.2 and ACL's with multiple ports

  When creating a DACL for my groups I used the Syntax " permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl's inside the DACL and the syntax check validated it. When I pushed it to my groups it also worked but I have heard that this type of multiple port ACL in ISE is not supported. Does anyone know if this is accurate?

  Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

• ISE Support IPV6 Dynamic ACLs

  Does ISE support IPv6 in its dynamic ACLs? We are a dual stack IPv6 site at present. We could leave the guest LAN on an IPv4 only site for the moment, but we intend to go forward and support IPv6 fully. If we wanted to apply DACLs to a port that had a Dual Stack arrangement, is that possible from ISE?

  ipv6 support for ise is not implemented yet (version 1.1.3 or 1.1.4)
  i thought it will arrive in version 1.2
  but as i am looking to improvements in version 1.2 Q&A i cannot see anything about ipv6
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  our customer has blocked ipv6 on wifi as we cannot put dynamically one ipv4 and ipv6 ACLs at the same time
  if someone as some "official news" about ipv6 ... would appreciate
  rgds,
  guillaume

• 3850 controller ACL working with ISE

  Hi all
  I was wondering if anyone can point me to the right direction. I was setting up BYOD access with ISE and Legacy controllers as follows:
  - create rule on ISE with Redirect / Airspace ACL
  - once that rule is hit ISE would send ACL name that needs to be applied on the controller (i.e. NSP-IOS )
  - controller would need to have the same ACL created locally with matching name
  - there are certain rules on old controllers allowing inbound / outbound traffic + denying traffic to be redirected
  now I want to use the same principle with 3850 controller.
  question is -> where do I configure this ACL, globally or under WLAN.... Also, what about direction - inbound / outbound that used to be the case with legacy controllers?

  The ACl should be under the WLAN

• 3850 mobility - - named ACLS From ISE

  Hi all
  i'm middle in the test for 3850 MC- Downloadable ACLs,  i settle up at ISE and working good in 2960. But as you know
  when i use DACL with WLC(3850). ISE just send ACLs name and WLC get that ACLs name then ACLs working on.
  But i think ISE send a acls name but wlc not working... i already double check acls name..and.. what?
  So do you have any document for this? Step by Step. 
  thank you

  thank you salodh
  OK Not a downlodable ACLs in WLC, I want know is  ISE give a named ACLs to WLC and ACLs works in
  WLC for Wireless Client. am i clear?
  i configured ACLs of WLC at ISE and also made same acl in WLC but ACLS didn't work.

• ACL--- ISE

  Hi Team!!
      in ISE , Can a static acl  be applied dynamically to a switch interface, i.e. if a port on a switch, which is allocated to a printer, becomes active but no certificate is received on the ISE, then the ISE will push an ACL to the switch port to only allow printer traffic.  This could  get around MAC authentication bypass possibly.
  Cheers!!
  Minakshi

  Hello Minakshi-
  You can definitely accomplish this by:
  1. Configure the switch to support both mab and dot1x
  2. Configure ISE for mab and dot1x
  3. Configure a printer specific "dACL" in ISE
  4. Configure a printer specific "Authorization Profile" in ISE and attach the dACL created in step #3 to it
  5. Test :)
  Thank you for rating helpful posts! 

• ISE: support for IPv6 DACL's

  Hi,
  Does anyone know if/when ISE will be able to push out IPv6 dynamic acl's? I have not managed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dynamic-acls
  Thanks,
  Phill Macey

  It's not supported as of the current ISE 1.3.
  I've heard it is planned for a future release but there's no announced or committed date as of yet.
  If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features.

• ISE & WLC

  Quick question:
  If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?
  [cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)
  Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

  Tarik,
  First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:
  Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)
  No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.
  If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.
  Here is a cisco HREAP/FlexConnect Limitation.
  Other H REAP Limitations
  If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.
  Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.
  Thanks for your help, I hope my question is clear.

• Cisco ISE - CWA AD Authentication

  Hello,
  I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
  Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

  Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
  For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
  For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
  For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
  Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
  1. Permit DNS- Needed for DNS resolution
  2. Permit access to ISE - Needed for the guest pages to properly load) 
  3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
  4. Permit everything else - Needed for general internet browsing
  I hope this helps!
  Thank you for rating helpful posts!

• ISE guest access - can't match on Optional Data fields

  Hi all
  I need to have 2 different types of guest users that will get different level of access with DACL / Airspace ACL
  I thought that best way to do that is simply matching one of optional data fields you can setup in Sponsor Portal
  Unfortunately as soon as I reference Optional Data field in Authorization rule I get no match. Can't also match on username which would not help anyway.
  getting redirected, login, getting redirected again etc.......
  This is affecting both wireless and wired.
  As soon as I remove that additonal condition from authz rule guest access works fine - getting redirected, log in, surf the internet.
  Is this is bug with ISE that you can't match guest optional data fields?

  Hi evnafets,
  You were right. How silly I am didnt see that small thing- but STILL PROBLEM IS UNSOLVED.
  [ore]
  java.sql.SQLException: [Microsoft][ODBC Microsoft
  Access Driver] Missing ), ], o
  r Item in query expression 'Post_Date LIKE
  to_date('04-06-2005',' dd/MM/yyyy''.
  Like it says, you have a missing ")" character
  rs=stmt.executeQuery("SELECT Name FROM
  NoticeBoardTable WHERE Post_Date LIKE to_date('"+
  date_str+"', 'dd/MM/yyyy' <--HERE NEED A CLOSING
  BRACKET ");
  When I did this it said to_date function is not available that because Ms-access doesn't have this function. Then I just changed the query to:-
  rs=stmt.executeQuery("SELECT Name FROM NoticeBoardTable WHERE Post_Date LIKE "+ date_sql ); . Although it didnt generate any exception, but dont show any record.
  But even better would be to use a prepared
  statement.
  String sql = "SELECT Name FROM NoticeBoardTable
  WHERE Post_Date LIKE  ?";
  PreparedStatement stmt = con.prepareStatement(sql);
  stmt.setDate(1, date_sql);
  ResultSet rs = stmt.executeQuery();
  I had prepared statement in my final servlet, I made this one just to check why its not working on dates. Also on your advice I changed it to prepared statement. It runs fine but didn't show any record with date 04-06-2005 although I have it in my database (not generating any exception).
  I print the sql date throuht servlet just to check , its showing 2005-06-04. May be its formate problem.
  Thanks
  Regards

• ISE wireless CPP with redirect exclusions, possible?

  Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
  On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
  All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
  Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

  Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
  To answer your questions:
  #1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
  #2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
  Hope this helps. If you issues are resolved please mark the thread as "answered"
  Thank you for rating!

• CWA on ISE and switches

  I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
  interface GigabitEthernet1/0/12
  description ISE1 - dot1x clients - UCS Eth0
  switchport access vlan 100
  switchport mode access
  ip access-group webauth in
  authentication order mab
  authentication priority mab
  authentication port-control auto
  mab
  spanning-tree portfast
  end
  ip access-list extended webauth
  permit ip any any

  Why ACL must be configured on the port on the switch
  Question:
  I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.
  What is Web Authentication?
  Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.
  Role of ACL:
  The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.
  Port ACLs
  Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:
  •Standard IP access lists using source addresses
  •Extended IP access lists using source and destination addresses and optional protocol type information
  •MAC extended access lists using source and destination MAC addresses and optional protocol type information
  The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.  Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
  Figure 31-1 Using ACLs to Control Traffic to a Network
  When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
  With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
  For More information, please check
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468

• ISE and CoA 'port bounce' on WLC 7.2

  Hi,
  Im trying to get a vlan change done with CoA and MAB on a WLC 7.2 but it looks like it doese't disconnect the client, hence no new dhcp request.
  Everything is working except 'port bounce'. I can see the new vlan in the controller, if i do a ifconfig /renew on the client it gets the new subnet and everything works as it should. If i remove the endpoint in ISE it swaps the vlan again on the controller, but no port bounce...
  Is it possible to do this at all?
  Page 244/245  in the Configuration guide -  RADISUS NAC -Guidelines and Limitations says:
  VLAN select is not supported
  ISE 1.1.1
  WLC 7.2
  Thanks
  Message was edited by: Mikael Gustafsson

  Hi,
  So in general there is no easy solution to do a vlan change for guest users on a wireless?
  What Im trying to do is to separate the guest vlan from the rest of the network.
  Were the user first get the vlan with the ISE interface in, with ACL for DNS and guest portal. And DHCP proxy from WLC.
  After authentication he would get the guest vlan with only DHCP proxy and a default gw at the fw 
  I did try the CoA DHCP option on the guest portal and it's not a good solution, the user needs interact to accept an applet install , and it's (from what I understand from the UG) only working on windows.  (and I didnt get it to work)
  Thanks
  Message was edited by: Mikael Gustafsson

• ISE dot1x and MAB issues

  I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.
  interface GigabitEthernet5/7
   description 1-151
   switchport mode access
   switchport block unicast
   switchport voice vlan 68
   ip arp inspection limit rate 60
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 40
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 3600
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  end

  Recently i have implemented in one of our customer, find the below switch configuration.
  aaa new-model
  aaa authentication dot1x default group radius local
  aaa authorization network default group radius local
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
  aaa session-id common
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
  epm logging
  dot1x system-auth-control
  spanning-tree mode rapid-pvst
  spanning-tree loopguard default
  spanning-tree portfast bpduguard default
  spanning-tree extend system-id
  spanning-tree uplinkfast
  spanning-tree backbonefast
  spanning-tree vlan 1-1005 priority 8192
  port-channel load-balance src-dst-ip
  vlan internal allocation policy ascending
  interface ran GigabitEthernet X/X
   description "Connected to test PC for ISE testing"
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   authentication event server dead action authorize vlan 107
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation protect
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip http server
  ip http secure-server
  ip access-list extended ISE_REDIR
   deny   udp any any eq bootpc
   deny   udp any any eq bootps
   deny   udp any any eq domain
   deny   ip any host <ISE IP ADDRESS> log
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any log
  ip access-list extended ISE_ALLOWED
   permit ip any host <ISE IP ADDRESS>
  logging esm config
  snmp-server community string RO
  snmp-server community public RO
  snmp-server community ise RO
  snmp-server trap-source Vlan250
  snmp-server enable traps mac-notification change move threshold
  snmp-server host <ISE IP ADDRESS> version 2c ise  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7
  141E010E2C07233F27
  radius-server vsa send accounting
  radius-server vsa send authentication
  Create a Authentication policy in ISE and allow ISE_REDIR ACL.