How DACL is applied in CWA?

Guys ,

I have a question when using DACL with CWA phase 1 authorization how the DACL is appled to the interface however the client still doesn't have IP address assigned by DHCP because actually the DHCP traffic is allowed on the DACL it is kind of confusing me. can some one explain this? 


  • There should be a redirect ACL which allows DHCP. Thats reason PCs can get IPs. That redirect ACL resides on Switch and not a DACL.

  • But the reason we apply Redirect ACL is only to match on traffic to be redirected to the ISE portal , however the DACl is used for actual filteration on the interface and both are applied during phase 1 so what is the exact order of operation?

  • Switch ACL is first ACL which is applied and deny statement means it will not redirect traffic to ISE but let the traffic pass through, thats reason mostly DNS and boot are first two lines in that list, which allows end hosts to get IP and name resolutions.

    While DACL are applied after "COA". DACL alwasy represents a transition point at a specific time. Once DACL is downloaded it will take presedence.


  • in My Question I mean When DACL is applied during Phase 1 i.e before COA.

  • After some search I finally get the answer, there is a default pre-authentication ACL already applied on ports configured for MAB/Dot1x authentication that allow DHCP traffic this way the client will be able to obtain IP address before authentication , 


    thanks phoenix for your help [:)]



Sign In or Register to comment.