topic dACL dont apply in Network Access Control

dACL dont apply

Alexey Leontiev — Mon, 11 Mar 2019 03:38:25 GMT

For some user create dACL

only_default_router

permit icmp any host 192.168.100.1

permit tcp any host 192.168.100.1

deny ip any any

After user log in windows i found logs on switch

001867: *Mar 16 22:03:58.196: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001868: *Mar 16 22:03:58.204: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit icmp any host 192.168.100.1

001869: *Mar 16 22:03:58.221: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001870: *Mar 16 22:03:58.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit tcp any host 192.168.100.1

001871: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001872: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:deny ip any any

001873: *Mar 16 22:03:58.405: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000c.29d6.02a6) on Interface Gi1/0/2 AuditSessionID C0A8641E00000034511FC4B0

001874: *Mar 16 22:03:58.422: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up

001875: *Mar 16 22:03:59.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

But on interface apply Auth-Default-ACL and what is why all traffic block.

And on interface I found

ISE-SWITCH#show ip interface gigabitEthernet 1/0/2

GigabitEthernet1/0/2 is up, line protocol is up

Inbound access list is Auth-Default-ACL

Why my dACL not apply?

Re:dACL dont apply

Tarik Admani — Sat, 13 Jul 2013 05:47:33 GMT

Take a loom at the show authentication session interface gig xxx, that will show you the acl applied after the authentication.

Sent from Cisco Technical Support Android App

Re:dACL dont apply

mmangat — Mon, 15 Jul 2013 05:20:18 GMT

Hello,

can you post the output of the following commands after authorization:

show authentication session interface

sh ip access-lists interface

show running-config interface

show access-list

sh ip access-lists

Re:dACL dont apply

Ravi Singh — Tue, 06 Aug 2013 03:12:55 GMT

Hello Alexey,

check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

I had the same problem and it turned out that I had to upgrade the switch, because the IOS version I used wasn't fully supported. The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.

Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".

There's also a very nice document for troubleshooting:

"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf