Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

dACL with object group

This thread has been viewed 3 times

  • 1.  dACL with object group

    Posted Apr 12, 2020 07:28 AM

    Hi
    is there any way to use object group in the dACL ? 

     

    when i'm trying to create dACL with object group it's applied to the interface as permit ip any any 

    this is the dACL on CLearpass : 

    Spoiler
    permit ip any object-group CCTV-Local-System

    and this is what applied on cisco switch  

    Spoiler
    permit ip any any

    any solution ? 

     

     

     

     



  • 2.  RE: dACL with object group

    EMPLOYEE
    Posted Apr 12, 2020 12:32 PM
      |   view attached

    Hi

    Is the configuration working without the object-group option?

    The experience I had with dACL on cisco is that if the ACL is misconfigured on clearpass it will not be applied to the port.

     

    During the tests I used a default acl applied to all access ports and created dACLs on clearpass based on the access permission given to user's session.

     

    !

    ip access-list extended default_acl

     permit ip any any

    !

    interface range f0/1-24

     switchport mode access

     ip access-group default_acl in

     authentication host-mode multi-auth

     authentication order dot1x mab

     authentication priority dot1x mab

     authentication port-control auto

     authentication periodic

     authentication timer reauthenticate server

     mab

     dot1x pae authenticator

     dot1x timeout server-timeout 30

     dot1x timeout tx-period 10

     dot1x max-req 3

     dot1x max-reauth-req 10

     

    Please see attached file as an example of the ACL created on Clearpass.



  • 3.  RE: dACL with object group

    Posted Apr 12, 2020 01:14 PM

    Hi, 
    thanks for your replay, 
    I already configure more than one row in the dACL and all of them works correctly except the one that have object group.

    let me explain to you;

    if I configured dACL on Clearpass Like the below:

    permit ip any host 1.1.1.1
permit ip any host 2.2.2.2
permit icmp any host 3.3.3.3
permit ip any object-group CCTV-Local-System
deny ip any any log

     

    what  will be applied on Cisco Switch like this :

    permit ip any host 1.1.1.1
permit ip any host 2.2.2.2
permit icmp any host 3.3.3.3
permit ip any any
deny ip any any log

     

     

     

    it must install 

    permit ip any object-group CCTV-Local-System  instead of  permit ip any any.

     

    Thanks



  • 4.  RE: dACL with object group

    EMPLOYEE
    Posted Apr 13, 2020 06:58 AM

    I understand the problem now. So the switch is replacing the object-group with an "any".

    That could be related to the configuration of the object-group. There are some options to use it but the configuration for the object-group  may be different depending on how you are going to use it on your ACL statement. For example,  you can replace the source, destination or protocol/ports on your ACL statement with an previous configured object-group, but for each option you may apply a different configuration to create the object-group

     

    Can post here the confirmation of your object-group?

     

     



  • 5.  RE: dACL with object group

    Posted Apr 13, 2020 08:12 AM

    Hi

    this is the object group that we have configured on the switch 

    object-group network CCTV-Local-System
10.30.30.0 255.255.255.240