Security

 View Only
last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass deploys dACL to Cisco switches

This thread has been viewed 15 times
  • 1.  Clearpass deploys dACL to Cisco switches

    Posted May 06, 2022 10:35 PM
    Hi Guys,
     
    There is a question that needs your help. Now I've deployed dACL to Cisco switches via Clearpass, such as permit ip any host 10.10.70.11, and enabled IP device tracking in Cisco switches. However, the ACL applied by the switch to the interface does not replace "any" with the IP address obtained by the host under the interface. I'm confused about that. I've deployed ISE before, and the switch replaces the "any" in the ACL obtained from ISE with the specific address. So, is this a compatibility issue with Clearpass and Cisco or is there a misconfiguration?



    ------------------------------
    Hevin Huo
    ------------------------------


  • 2.  RE: Clearpass deploys dACL to Cisco switches

    EMPLOYEE
    Posted May 10, 2022 07:31 AM
    If you apply the ACL to a specific client (MAC), there is no real difference unless the client changes its IP address. I'm not aware of such replacement of any by the IP address, and if you still have your ISE available you could do a packet capture on the RADIUS traffic and compare what ClearPass sends differently if you want to change this behavior.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------