In the Low-Impact Mode, we will add security on top of the framework that we built in Monitor Mode by applying an (ACL) to the switchport to allow very limited network access prior to authentication. After a user or device has successfully authenticated, they will be granted additional network access.

For example, Low-Impact Mode may be used to give any host attaching to the network the ability to use Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and perhaps get to the Internet, all while blocking access to internal resources. When a device connected to that same switchport passes authentication, a downloadable ACL (dACL) is applied that will permit all traffic (see image below).

In the Low-Impact Mode, we will add security on top of the framework that we built in Monitor Mode by applying an (ACL) to the switchport to allow very limited network access prior to authentication. After a user or device has successfully authenticated, they will be granted additional network access.

For example, Low-Impact Mode may be used to give any host attaching to the network the ability to use Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and perhaps get to the Internet, all while blocking access to internal resources. When a device connected to that same switchport passes authentication, a downloadable ACL (dACL) is applied that will permit all traffic (see diagram below).

Wireless access in Low-Impact mode follows a very similar flow. A user or device authenticating to wireless with valid credentials will be authorized for full network access. This gets tightened down with additional security and specific access based on the user or device's role.

Depending on the requirements, the administrator can increase the security level by adding more granular security and differentiated access to the Network. Within the Low-Impact Mode, we replace the dACL or wireless ACL (wACL) that permits traffic with a more specific dACL or wACL that is assigned based on the user's group membership or other attributes of the user's context. Following diagram depicts granular access control based on authorization (see image below).