Solved: Assign an ACL (not DACL) to Wired Session

paul · ‎01-11-2018

I can assign an ACL that exists on an ASA to a VPN user or an ACL that exists on a WLC to a wireless user, but is there a way to assign an ACL defined on a switch to a wired authentication? I don't think there is.

The use case is for a large world-wide customer that has class of devices that need access to the local LAN subnets at the site they sit. We thought of having an ACL named the same on every switch like "Local_Access_Only" that would restrict access to the local subnets, but I don't think I have a way to apply that to the authentication.

If we tried going this with a DACL we would need a unique DACL and every result for each on of their locations.

I could do something odd like assign a redirect ACL that essentially would deny (i.e. not redirect) traffic to the local subnets and permit (i.e. redirect) to anything else. Those devices would be permanently sitting in a web auth redirect state, but functionally it should work.

Let me know if an ACL could be applied or if there is another method I am missing (don't say TrustSec).

paul · ‎01-17-2018

Grr found the issue. My ACL on the switch didn't have "any" in the source field of one of the lines. Once I turned on "debug epm all" I saw the issue. The Filter-ID works perfectly.

View solution in original post

hslai · ‎01-12-2018

Try Filter-ID. See IP Device Tracking with 802.1x and Filter-ID ACL for Version 15.x

paul · ‎01-12-2018

Hmm, I tried the filter ID, but I got authorization failed after applying that to the result. I will do more testing.

Thanks.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

paul · ‎01-17-2018

Grr found the issue. My ACL on the switch didn't have "any" in the source field of one of the lines. Once I turned on "debug epm all" I saw the issue. The Filter-ID works perfectly.