If you apply the ACL to a specific client (MAC), there is no real difference unless the client changes its IP address. I'm not aware of such replacement of any by the IP address, and if you still have your ISE available you could do a packet capture on the RADIUS traffic and compare what ClearPass sends differently if you want to change this behavior.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 06, 2022 10:35 PM
From: Hevin Huo
Subject: Clearpass deploys dACL to Cisco switches
Hi Guys,
There is a question that needs your help. Now I've deployed dACL to Cisco switches via Clearpass, such as permit ip any host 10.10.70.11, and enabled IP device tracking in Cisco switches. However, the ACL applied by the switch to the interface does not replace "any" with the IP address obtained by the host under the interface. I'm confused about that. I've deployed ISE before, and the switch replaces the "any" in the ACL obtained from ISE with the specific address. So, is this a compatibility issue with Clearpass and Cisco or is there a misconfiguration?
------------------------------
Hevin Huo
------------------------------