dACL Enforcement
Downloadable ACL Enforcement
Purpose
Downloadable ACLs (dACLs) enforce zero-trust network access by pushing access control lists from ISE directly to the authenticating network device (switch or wireless controller). Unlike static ACLs configured on each device, dACLs are centrally managed in ISE and applied dynamically based on authorization policy — ensuring consistent enforcement across the entire network.
Zero-Trust Reference: Linux Research Workstation dACL
The Linux research workstation dACL serves as the zero-trust reference implementation. It blocks all RFC1918 private address space and permits only essential services:
ip:inacl#1=permit udp any any eq 53
ip:inacl#2=permit udp any any eq 67
ip:inacl#3=permit udp any any eq 68
ip:inacl#4=permit udp any any eq 123
ip:inacl#5=permit tcp any host {ise-01-ip} eq 8443
ip:inacl#6=permit tcp any host {ise-01-ip} eq 8905
ip:inacl#7=deny ip any 10.0.0.0 0.255.255.255
ip:inacl#8=deny ip any 172.16.0.0 0.15.255.255
ip:inacl#9=deny ip any 192.168.0.0 0.0.255.255
ip:inacl#10=permit tcp any any eq 80
ip:inacl#11=permit tcp any any eq 443
ip:inacl#12=permit tcp any any eq 22
ip:inacl#13=deny ip any any logKey design principles:
-
DNS ({port-dns}) — Required for name resolution
-
DHCP ({port-dhcp-server}/{port-dhcp-client}) — Required for IP assignment
-
NTP ({port-ntp}) — Required for certificate validation and Kerberos
-
ISE Posture (8443/8905) — Required for compliance assessment
-
RFC1918 deny — Block ALL internal lateral movement
-
Internet permit — Allow HTTP/HTTPS/SSH to external resources
-
Final deny with log — Catch-all with visibility
ACL Ordering Rule
Specific permits MUST precede broad denies. ISE dACLs are evaluated top-down; first match wins.
|
If the RFC1918 deny rules appear before the ISE posture permits (and ISE is on an RFC1918 address), the endpoint cannot reach ISE for posture assessment. The dACL locks the endpoint out of compliance — a self-defeating loop. |
Correct order:
-
Specific service permits (DNS, DHCP, NTP, ISE)
-
Broad denies (RFC1918 blocks)
-
General permits (Internet access)
-
Final deny-all with logging
Lab Validation
The V5 dACL has been tested and validated in the home lab environment:
| Test | Description | Result |
|---|---|---|
Posture flow |
Endpoint completes posture assessment through dACL |
✅ Pass |
RFC1918 block |
Lateral movement to internal subnets denied |
✅ Pass |
Internet access |
HTTP/HTTPS/SSH to external hosts permitted |
✅ Pass |
DNS resolution |
Name resolution functional through dACL |
✅ Pass |
NTP sync |
Time synchronization maintained for cert validation |
✅ Pass |
Logging |
Denied traffic logged on final deny rule |
✅ Pass |
Production Deployment Plan
Rollout follows a per-policy-set approach to limit blast radius:
| Phase | Scope | Policy Set | Status |
|---|---|---|---|
1 |
Linux workstations (wired) |
{policy-set-wired} |
🟡 Lab validated |
2 |
Windows workstations (wired) |
{policy-set-wired} |
❌ Pending |
3 |
Wireless endpoints |
Wireless_802.1X |
❌ Pending |
4 |
IoT / BMS devices |
IoT_MAB |
❌ Pending |
netapi CLI for dACL Management
# List all dACLs configured in ISE
netapi ise dacl list --format table
# Show specific dACL details
netapi ise dacl show --name "DACL-Zero-Trust-Linux" --format table
# Export dACL for review
netapi ise dacl show --name "DACL-Zero-Trust-Linux" --format json > dacl-review.jsonRelated: Aireos AirSpace ACL Migration
Legacy Cisco Aireos wireless controllers use AirSpace ACLs (static, locally configured). These must be migrated to ISE-managed dACLs for centralized enforcement. The migration path:
-
Document existing AirSpace ACLs on each WLC
-
Create equivalent dACL in ISE
-
Update wireless authorization profiles to reference dACL
-
Test per-SSID
-
Remove legacy AirSpace ACLs after validation