https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269098#M120706 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>check if the IOS version and hardware platform (switch) you're using&nbsp; is mentioned in TrustSec document (page 6):</P><P><A href="http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf" target="_blank">http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf</A></P><P>The minimum IOS version to use with ISE should be 12.2(55),&nbsp; but generally it's better to use 15.x.</P><P></P><P>Also, check if you have&nbsp; configured everything that is recommended for switch devices in TrustSec&nbsp; (page 59), including "ip device tracking".</P><P></P><P>There's also a very nice&nbsp; document for troubleshooting:</P><P>"Cisco&nbsp; TrustSec How-To Guide: Failed&nbsp; Authentications and Authorizations"</P><P><A href="http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf" target="_blank">http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf</A></P><P></P><P>If it&nbsp; doesn't work, can you post the output of&nbsp; the following commands after authorization:</P><P>show&nbsp; authentication session interface <INTERFACE_NAME></INTERFACE_NAME></P><P>sh ip&nbsp; access-lists interface <INTERFACE_NAME></INTERFACE_NAME></P><P>show running-config&nbsp; interface <INT_NAME></INT_NAME></P><P>show access-list <INT_NAME></INT_NAME></P><P>sh&nbsp; ip access-lists</P></BODY></HTML> Wed, 03 Jul 2013 06:25:53 GMT mmangat 2013-07-03T06:25:53Z https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269096#M120565 <P>Hi,</P><P></P><P>I am trying to figure out the syntax for dACL to a switch running <SPAN style="font-size: 10pt;">12.2(55)SE7.</SPAN></P><P>In the switch we have used the following static ACL:</P><PRE>ip access-list extended TEST <PRE> 10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000 </PRE> <BR /></PRE><P>It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a <SPAN style="font-size: 10pt;">certain device connects the port.</SPAN></P><P></P><P>I added it to ISE like this:</P><PRE>permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000</PRE><P></P><P>But that doesn't work. However, when I change the source to any then it works:</P><PRE>permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000</PRE><P></P><P>By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates. </P><P></P><P>Why does it work with source any?</P><P></P><P></P><P>Regards,</P><P>Philip</P> Mon, 11 Mar 2019 03:36:22 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269096#M120565 Philip Vilhelmsson 2019-03-11T03:36:22Z https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269097#M120643 <HTML><HEAD></HEAD><BODY><P> Hello Philip</P><P></P><P>The dACL has only one direction: from the workstation to the switch. So the "source IP address" will always be the IP address of the endpoints connected to the port.</P><P></P><P>Because DHCP is used most of the times and to simplify the dACL, the "source IP address" will use a "special any" which will always be replaced by the IP address of the endpoint. If there are two different endpoints (like a cisco ip phone and a workstation) then you could use independent dACLs for each endpoint: the "any" of dACL for IP Phone will be replaced by the ip address of the ip phone, and the "any" of dACL for workstation will be replaced by the ip address of the workstation.</P><P></P><P>You can verify this behavior by using "show ip access-list int <INTERFACE> "</INTERFACE></P><P></P><P>PLease rate if it helps</P></BODY></HTML> Wed, 03 Jul 2013 05:24:48 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269097#M120643 Eduardo Aliaga 2013-07-03T05:24:48Z https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269098#M120706 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>check if the IOS version and hardware platform (switch) you're using&nbsp; is mentioned in TrustSec document (page 6):</P><P><A href="http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf" target="_blank">http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf</A></P><P>The minimum IOS version to use with ISE should be 12.2(55),&nbsp; but generally it's better to use 15.x.</P><P></P><P>Also, check if you have&nbsp; configured everything that is recommended for switch devices in TrustSec&nbsp; (page 59), including "ip device tracking".</P><P></P><P>There's also a very nice&nbsp; document for troubleshooting:</P><P>"Cisco&nbsp; TrustSec How-To Guide: Failed&nbsp; Authentications and Authorizations"</P><P><A href="http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf" target="_blank">http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf</A></P><P></P><P>If it&nbsp; doesn't work, can you post the output of&nbsp; the following commands after authorization:</P><P>show&nbsp; authentication session interface <INTERFACE_NAME></INTERFACE_NAME></P><P>sh ip&nbsp; access-lists interface <INTERFACE_NAME></INTERFACE_NAME></P><P>show running-config&nbsp; interface <INT_NAME></INT_NAME></P><P>show access-list <INT_NAME></INT_NAME></P><P>sh&nbsp; ip access-lists</P></BODY></HTML> Wed, 03 Jul 2013 06:25:53 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-to-switch/m-p/2269098#M120706 mmangat 2013-07-03T06:25:53Z