topic Fixed my issue. DHCP in Network Access Control

ISE dACL issues 4510

Justin.Nichols — Wed, 13 Mar 2019 00:46:01 GMT

I am having an issue with my permit all dACL for printers on a 4510 switch.

Everything looks to be getting applied correctly from ISE, but I'm still getting blocked by my default ACL after the dACL has been successfully downloaded. This is working on 3560 with the same config.

cat4500e-universalk9.SPA.03.04.06.SG.151-2.SG6.bin

Interface: GigabitEthernet8/1
          MAC Address: 0014.3889.3278
           IP Address: Unknown
            User-Name: 00-14-38-89-32-78
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 9
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5484c0cc
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A01D2FC000001DC08B4190C
      Acct Session ID: 0x000001E5
              Handle: 0x230001DD

May 15 03:02:29: %SEC-6-IPACCESSLOGP: list ACL_DEFAULT denied tcp 10.1.230.99(9100) -> 10.1.210.74(53091), 2 packets

add: VLAN assignment is

Justin.Nichols — Fri, 15 May 2015 15:29:10 GMT

add: VLAN assignment is working correctly.

interface config:

interface GigabitEthernet8/1
switchport access vlan 8
switchport mode access
switchport voice vlan 3
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping trust
end

Can you see the ip adds of

jan.nielsen — Fri, 15 May 2015 20:06:21 GMT

Can you see the ip adds of your printer as active in "show ip device tracking all", when it's not working ?

You can use debug epm to

Antonio Torres — Sun, 17 May 2015 03:33:31 GMT

You can use debug epm to verify DACL installation errors. It seems like DACL is not installed on TCAM because we're not learning the endpoint IP. As Jan said, do a "show ip device tracking all" and verify if we are learning the endpoint's IP on Gig8/1.

Fixed my issue. DHCP

Justin.Nichols — Sun, 17 May 2015 17:41:42 GMT

Fixed my issue. DHCP snooping was getting blocked at port on server. Trusted the port and everything started working.

This is somewhat off subject.

rschwart — Mon, 22 Jun 2015 15:30:12 GMT

This is somewhat off subject. I am looking for a solution to whitelisting printers. Currently we whitelist printers on our 802.1x wired network. I have whitelisted over 30 new devices in that last month, but have not taken any out of the list. Any sample acls, or dAcls would be appreciated. Being a university we have a variety of printers, HP, Brother, Canon, etc.

Thanks for any help.