topic Re: Default denyaccess in Network Access Control

Default denyaccess

mdjan — Fri, 21 Feb 2020 18:35:50 GMT

Hello guys, I noticed that the default deny access ACL does not be (push) download on the interface from the Cisco ISE server. when a default rule on the authorization policy is matched with a denyAccess ACL. The device has an access on the network and also when I check which ACL is applied on the current device interface, we noticed that there is no ACL on the interface though the radius live logs show that the default rule is matched with a DenyAccess ACL. And on the switch with the sh authentication session interface Gy/x, we see that Dot1x and MAB are failed.

Re: Default denyaccess

agrissimanis — Wed, 11 Oct 2017 09:02:53 GMT

That is expected behaviour, deny access means just that and no RADIUS attributes are honoured by the switch.

What is your standard port configuration? Do you have pre-auth ACL configured?

Re: Default denyaccess

mdjan — Wed, 11 Oct 2017 09:57:58 GMT

I have a default ACL configure on the port

ip access-list extended ACL-DEFAULT
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit ip any host 10.18.0.138
 permit ip any host 10.18.26.13
 deny   ip any any log
interface GigabitEthernet0/1
 description white cable
 switchport access vlan 3
 switchport mode access
 switchport voice vlan 2
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout quiet-period 15
 dot1x timeout tx-period 3
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip dhcp snooping trust

Re: Default denyaccess

agrissimanis — Wed, 11 Oct 2017 11:09:14 GMT

Just to confirm, when you say that the device has network access, do you mean that the ACL-DEFAULT is not in effect, or do you just want the endpoint to have no network access at all - even more restrictive than the ACL-DEFAULT? In that case you would need to pass Access-Accept from ISE with dACL that denies all traffic. Switch would honour the dACL then, if it is passed in RADIUS Access-Accept message.

Re: Default denyaccess

mdjan — Wed, 11 Oct 2017 12:06:39 GMT

I just want the endpoint to have no network access at all, like deny ip any any on the current interface when the default rule matched.

Re: Default denyaccess

agrissimanis — Wed, 11 Oct 2017 12:19:05 GMT

OK, in that case just change the authorization profile to Access-Accept, and specify dACL that has deny ip any any. Generally in low impact mode, it is accepted that the services available with the pre-auth ACL are fine, even if the endpoint fails authentication, but if you would like to completely restrict access, this approach will work.

Re: Default denyaccess

mdjan — Wed, 11 Oct 2017 12:28:38 GMT

That is the issue because it is not working

Re: Default denyaccess

agrissimanis — Wed, 11 Oct 2017 13:24:20 GMT

And you definitely don't have any problems with dACLS being applied to the hosts that pass normal corporate auth for example (that is dACLS with permit ip any any)?

What is your ip device tracking config? And could you post the Attributes details section of your Authorization profile?

Re: Default denyaccess

mdjan — Wed, 21 Mar 2018 07:34:37 GMT

The issue was on the switch side