Thursday, May 30, 2019

ISE default authorization policy with DACL.

Hello, networking,

Hope I can get some insight from any ISE experts out there. Currently we're running DOT1X with EAP-TLS and AD integration and is working just fine.

One problem that we're having is with the last "default" rule under policy sets for authorization. For the default rule, with no condition, we configured a profile that has a DACL attached to it. The idea is that whenever there's a failure for any reason whatsoever, it'll hit the default rule and download the ACL. However, this isn't working.

When a computer fails, it just says unauth with no access to the network; however, we'd like for it to have access to certain resources. Kind of like if a machine fails, it'll get an DACL with access to certain services only, those services offer remediation so they can successfully pass authentication.

We're already running C3PL with an event to put an ACL on the machine if it fails authentication, however, the problem is is that we don't want to maintain ACLs scattered across hundreds of switches. If the systems team decides to add a new server or change an IP on an existing server (which they have before), then we'd have to go to every switch and update each ACL, this is why it's preferable to run it from ISE where it can be updated and deployed to every switch at once.

Any insight or help would be greatly appreciated.



No comments:

Post a Comment