Solved: Re: Meraki MS with ISE and DACLs

Mosquitar · ‎09-15-2022

Hi All,

I am aware that it is possible to configure ISE to override the MS port VLAN following successful device authentication ( such as placing computers in the corporate data VLAN if they pass certificate based authentication), however is it also possible to apply an ACL to the session to enforce L3 communication from the computer (similar to how dynamic ACLs/DACLs work with Cisco Catalyst switches)?

Thanks

GreenMan · ‎09-15-2022

You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment): https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

View solution in original post

GreenMan · ‎09-15-2022

You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment): https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:te....

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

GIdenJoe · ‎09-15-2022

On MS2xx and higher you can use group policy ACL which listens to the Filter-ID AV pair radius response.

However on MS switches you have some severe limitations in how many ACE's you can use per session and in total. Especially ACE that contain ports really take down the total you can use.