Step 1: Create a Downloadable ACL (DACL) in Cisco ISE
1.Navigate to:
Policy > Results > Authorization
2.Select Downloadable ACLs and create a new ACL.
3.Give the ACL a meaningful name.
4.The number in DACL indicates its priority (lower number = higher priority). The ACLs are processed from top to bottom based on this number.
5.Check the ACL syntax by clicking the “Check DACL Syntax” button to validate your configuration before saving.
6.Save the ACL once syntax verification passes.
Step 2: Apply the ACL in an Authorization Profile
1. Navigate to:
Policy > Results > Authorization
2. Go to the relevant Authorization Profile in Cisco ISE or Create a new profile.
3.In the profile settings, locate the Common Tasks section.
4.Under DACL Name, select the ACL you created.
Step 3: Use the Authorization Profile in a Policy Rule
1. Navigate to:
Policy> Policy Sets>View Policy>Authorization Policy
2. Use the Authorization Profile in an Authorization Policy
Step 4: Switch Configuration to Support DACLs
Since ACLs are IP-based port access controls but switches operate mainly at Layer 2, the switch must be able to track IP addresses on interfaces.
To enable the switch to recognize IP addresses connected on each port, enable IP Device Tracking:
Command:
ip device tracking !This command enables the switch to monitor IP addresses learned on access ports, which is necessary for enforcing DACLs on the switch.
----------------------------------------------------------------------------------------------
What happens behind the scenes once everything is set up:
- Endpoint connects to switch
- 802.1X or MAB authentication is triggered.
- Switch sends authentication request to Cisco ISE.
- ISE evaluates the endpoint against the Authorization Policy.
- If the rule matches:
- ISE sends back a RADIUS Access-Accept response.
- This response includes the DACL name and content.
- The switch downloads the ACL from ISE in real time and applies it to the interface (port or session) where the endpoint is connected.
- The endpoint now has network access restricted/allowed according to the DACL.