01-11-2018 02:11 PM
I can assign an ACL that exists on an ASA to a VPN user or an ACL that exists on a WLC to a wireless user, but is there a way to assign an ACL defined on a switch to a wired authentication? I don't think there is.
The use case is for a large world-wide customer that has class of devices that need access to the local LAN subnets at the site they sit. We thought of having an ACL named the same on every switch like "Local_Access_Only" that would restrict access to the local subnets, but I don't think I have a way to apply that to the authentication.
If we tried going this with a DACL we would need a unique DACL and every result for each on of their locations.
I could do something odd like assign a redirect ACL that essentially would deny (i.e. not redirect) traffic to the local subnets and permit (i.e. redirect) to anything else. Those devices would be permanently sitting in a web auth redirect state, but functionally it should work.
Let me know if an ACL could be applied or if there is another method I am missing (don't say TrustSec).
Solved! Go to Solution.
01-17-2018 07:09 PM
Grr found the issue. My ACL on the switch didn't have "any" in the source field of one of the lines. Once I turned on "debug epm all" I saw the issue. The Filter-ID works perfectly.
01-12-2018 07:10 AM
Try Filter-ID. See IP Device Tracking with 802.1x and Filter-ID ACL for Version 15.x
01-12-2018 08:31 AM
Hmm, I tried the filter ID, but I got authorization failed after applying that to the result. I will do more testing.
Thanks.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-17-2018 07:09 PM
Grr found the issue. My ACL on the switch didn't have "any" in the source field of one of the lines. Once I turned on "debug epm all" I saw the issue. The Filter-ID works perfectly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide