in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 12-20-2016 5:36 AM by mostager. 5 replies.
Page 1 of 1 (6 items)
Sort Posts: Previous Next
  • 11-30-2016 1:55 PM

    How DACL is applied in CWA?

    Guys ,

    I have a question when using DACL with CWA phase 1 authorization how the DACL is appled to the interface however the client still doesn't have IP address assigned by DHCP because actually the DHCP traffic is allowed on the DACL it is kind of confusing me. can some one explain this? 

    • Post Points: 20
  • 12-04-2016 3:54 AM In reply to

    Re: How DACL is applied in CWA?

    There should be a redirect ACL which allows DHCP. Thats reason PCs can get IPs. That redirect ACL resides on Switch and not a DACL.

    • Post Points: 20
  • 12-04-2016 4:14 AM In reply to

    Re: How DACL is applied in CWA?

    But the reason we apply Redirect ACL is only to match on traffic to be redirected to the ISE portal , however the DACl is used for actual filteration on the interface and both are applied during phase 1 so what is the exact order of operation?

    • Post Points: 20
  • 12-04-2016 10:16 PM In reply to

    Re: How DACL is applied in CWA?

    Switch ACL is first ACL which is applied and deny statement means it will not redirect traffic to ISE but let the traffic pass through, thats reason mostly DNS and boot are first two lines in that list, which allows end hosts to get IP and name resolutions.

    While DACL are applied after "COA". DACL alwasy represents a transition point at a specific time. Once DACL is downloaded it will take presedence.

    HTH

    • Post Points: 20
  • 12-05-2016 11:51 PM In reply to

    Re: How DACL is applied in CWA?

    in My Question I mean When DACL is applied during Phase 1 i.e before COA.

    • Post Points: 5
  • 12-20-2016 5:36 AM In reply to

    Re: How DACL is applied in CWA?

    After some search I finally get the answer, there is a default pre-authentication ACL already applied on ports configured for MAB/Dot1x authentication that allow DHCP traffic this way the client will be able to obtain IP address before authentication , 

     

    thanks phoenix for your help Smile

    Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-acl-assign.html#GUID-21AEE877-2331-408C-9BBC-47A97AB6A672] 

     

    • Post Points: 5
Page 1 of 1 (6 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved