The objective of this article is to demonstrate how the downloadable Access Control List (DACL) works on Cisco Catalyst 1300 switches with Cisco Identity Service Engine (ISE).
Dynamic ACLs are ACLs assigned to a switch port based off a policy or criteria such as user account group membership, time of day, and more. They could be local ACLs that are specified by filter-ID or downloadable ACLs (DACL).
Downloadable ACL are dynamic ACLs that are created and downloaded from the Cisco ISE server. They dynamically apply access control rules based on user identity and device type. DACL has the benefit of allowing you to have one central repository for ACLs, so you don’t need to manually create them on each switch. When a user connects to a switch, they just need to authenticate, and the switch will download the applicable ACLs from the Cisco ISE server.
In this article, the first use case will be discussed in detail.
Login to the Catalyst 1300 switch and navigate to Security > RADIUS Client menu.
For RADIUS Accounting, select Port Based Access Control option.
Under RADIUS Table, click on the plus icon to add the Cisco ISE Server.
Enter the Cisco ISE Server details and click Apply.
The Usage Type must be selected as 802.1x.
Navigate to Security > 802.1X Authentication > Properties menu.
Click the check box to enable Port-Based Authentication.
Under Authentication Method, select RADIUS and click Apply.
Go to Security > 802.1X Authentication > Port Authentication menu. Select the port to which your laptop is connected and click on the edit icon. In this example, GE8 is selected.
Select the Administrative Port Control as Auto and enable 802.1x Based Authentication. Click Apply.
ISE configuration is beyond the scope of Cisco Business support. Refer to the ISE Admin guide for more information.
The configurations shown in this article are an example for downloadable ACL to work with Cisco Catalyst 1300 series switch.
Login to your Cisco ISE server and navigate to Administration > Network Resources > Network Devices and add the Catalyst switch device.
To create User Identity Groups, navigate to the Groups tab and add the User Identity Groups.
Go to the Administration > Identity Management > Identities menu to define the users and to map the users to the groups.
Navigate to Policy > Policy Elements > Results menu. Under Authorization, click on Downloadable ACLs.
Click on the Add icon to create the downloadable ACL.
Configure the Name, Description, select the IP version, and enter the access control entries (ACEs) that will make up the downloadable ACL in the DACL Content field. Click Save.
Only IP ACLs are supported, and the source must be ANY. For ACL on ISE, only IPv4 is supported now. If an ACL is entered with another source, while the syntax may be fine as far as ISE is concerned, it will fail when applied to the switch.
Create authorization profiles that will be used to logically associate your DACL and other policies together inside the ISE policy sets.
To do this, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and click on Add.
In the Authorization Profile page, configure the following:
Click Save.
To configure policy sets that are logical groupings of authentication and authorization policies, click on Policy > Policy Sets menu.
You can view the following when looking at a list of policy sets:
To create a policy set, click on the add button.
Define a Policy Set Name.
Under Conditions, click the add button. This opens the Conditions Studio where you can define where this authentication profile will be used. In this example, it has been applied to the Radius-NAS-IP-Address (the switch) which is 172.19.1.250 and wired_802.1x traffic.
Configure the Allowed Protocols to the Default Network Access and click Save.
Under View, click on the arrow icon to configure authentication and authorization policies based on your network set up and requirements or you can choose the default settings. In this example, click on Authorization policy.
Click on the plus icon to add a policy.
Enter the Rule Name.
Under Conditions, click on the plus icon and select the identity group. Click Use.
Apply the required Profile and click Save.
On the client laptop, navigate to Network Connections > Ethernet and click on Properties.
Click on the Authentication tab and make sure 802.1X authentication is enabled.
Under Additional Settings, select User authentication as authentication mode. Click Save Credentials and then OK.
Click on Settings and make sure the box next to Verify the server’s identity by validating the certificate is unchecked. Click OK.
Under Services, enable Wired AutoConfig settings.
Once the user is authenticated, you can verify the downloadable ACL.
Login to the Catalyst 1300 switch and navigate to Access Control > IPv4-Based ACL menu.
The IPv4-Based ACL Table will display the downloaded ACL.
Downloadable ACLs cannot be edited.
Another way to verify is to navigate toIPv4-Based ACE, select the downloadable ACL from the ACL Name drop-down menu, and click Go. The rules that were configured in ISE will be displayed.
Navigate to Security > 802.1 Authentication > Authenticated Hosts menu. You can verify the users that are authenticated. Click on Authenticated Sessions to see more details.
From the CLI, run the command show ip access-lists interface followed by the interface ID.
In this example, ACLs and ACEs applied to Gigabit Ethernet 3 can be seen.
You can also see settings relating to the ISE connection and ACL downloads using the command
show dot1x sessions interface <ID> detailed. You can view the status, 802.1x authentication state, and the ACLs downloaded.
There you go! Now you know how downloadable ACL works on Cisco Catalyst 1300 switches with Cisco ISE.
For more information, check out the Catalyst 1300 Admin Guide and the Cisco Catalyst 1300 Series Support Page.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
18-Jun-2025 |
Initial Release |