topic Re: ISE DACL does not allow host to obtain DHCP address from cisco swi in Network Access Control

ISE DACL does not allow host to obtain DHCP address from cisco switch

iancresswell — Thu, 23 Jun 2022 16:48:52 GMT

We run ISE version 2.4

We have a DACL that gets assigned to specific MAC addresses to restrict their access to the LAN.

One of the entries in the DACL is as below to allow the host to pick up a DHCP address

permit udp any eq bootpc any eq bootps

When we host the DHCP on a remote server this works fine.

If we host DHCP services on a local cisco switch the host never picks up an IP address

Even if I change the DACL so it has a "permit any any" entry it still does not pick up an IP address.

It would seem that unless the DHCP requests are forwarded it does not reference the DACL until it picks up an IP address.

How can I assign a DACL in this situation?

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

Georg Pauwen — Thu, 23 Jun 2022 16:58:49 GMT

Hello,

--> If we host DHCP services on a local cisco switch the host never picks up an IP address

What do you configure on the switch, can you post the output of 'sh run' ?

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Thu, 23 Jun 2022 18:34:56 GMT

NO ip dhcp snooping information option

I think since Core don't not config with DHCP snooping it refuse the DHCP request.
so add command above to access SW and check again.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

Mohammed al Baqari — Fri, 24 Jun 2022 06:30:20 GMT

Hi,

The DACLs should handle the traffic even when the switch itself is the DHCP
Server. Can you debug ip dhcp server on the switch to see if the packets
are coming?

**** please remember to rate useful posts

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Fri, 24 Jun 2022 08:06:01 GMT

Hi All

The DHCP server does assign IP addresses to clients as long as there is no DACL applied to the interface.

It is not DHCP snooping or it would not assign IP addresses under any circumstances.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

ahollifield — Fri, 24 Jun 2022 12:02:11 GMT

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Fri, 24 Jun 2022 12:39:59 GMT

OK. make sure remove dot1x config from any port assign VLAN to that port and see if client get IP from DHCP server WHEN the Core is DHCP server.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Fri, 24 Jun 2022 12:47:55 GMT

It does work when dot1x is enabled as long as it does not have a DACL applied to the interface.

If I remove dot1x it also works as the DACL does not get applied.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Fri, 24 Jun 2022 12:56:05 GMT

before authz the port from ISE,
do show access list

the DACL is add as PACL to port, so see if there is default PACL or not, if there is no add PACL and allow DHCP server connection, keep notice the DACL is add above the PACL line.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Wed, 29 Jun 2022 13:21:27 GMT

I have done more testing and it seems it is not that the DACL is restricting access to the DHCP server, the DACL is simply not being applied.

If I remove the DACL from the Auth Profile the client authenticates, authorizes and is able to connect.

If I add the DACL to the AuthProfile the ISE logs show authentication and authorization is successful but the switch never authorizes the client and the DACL is not applied.

The ISE server is at a remote site behind a VPN hosted between two checkpoint firewall, I suspect the problem may be here somewhere.

These are packet captures from the Checkpoint firewall:

No Shutdown Access Port (no DACL Applied)
13:00:46.196700 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 345: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0xdf length: 301
13:00:46.468821 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 201: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Accept (2), id: 0xdf length: 157
13:00:46.483331 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 370: 10.240.100.15.58557 > 10.241.100.15.1646: RADIUS, Accounting Request (4), id: 0xb2 length: 326
13:00:46.740692 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 64: 10.241.100.15.1646 > 10.240.100.15.58557: RADIUS, Accounting Response (5), id: 0xb2 length: 20
13:00:46.742272 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 400: 10.240.100.15.58557 > 10.241.100.15.1646: RADIUS, Accounting Request (4), id: 0xb3 length: 356
13:00:47.000704 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 64: 10.241.100.15.1646 > 10.240.100.15.58557: RADIUS, Accounting Response (5), id: 0xb3 length: 20

Shutdown Access Port
13:01:32.434816 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 412: 10.240.100.15.58557 > 10.241.100.15.1646: RADIUS, Accounting Request (4), id: 0xb4 length: 368
13:01:32.692773 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 64: 10.241.100.15.1646 > 10.240.100.15.58557: RADIUS, Accounting Response (5), id: 0xb4 length: 20

No Shutdown Port (DACL Applied)
13:01:51.698746 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 345: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0xe0 length: 301
13:01:52.021105 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 275: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Accept (2), id: 0xe0 length: 231
13:01:52.027475 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 190: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0xe1 length: 146

No further response when port shut down

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Thu, 30 Jun 2022 01:09:49 GMT

I hope this solve your issue, find below this note from cisco

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Thu, 30 Jun 2022 10:32:31 GMT

The Access Switch is a C3850 running 16.12.07

We have sites behind a DMVPN tunnel that work perfectly.

The two sites we have behind a VPN managed by Checkpoint gateways does not work.

ISE logs show auth was successful but if you look on the switch the port is in an unauthorized state and the DACL is not applied. The connecting device has a static IP assigned as DHCP would not assign an IP as the port is unauthorized.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Thu, 30 Jun 2022 11:30:46 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

There is check point the only reason make it stop CoA is port use by ise is block by check point.

I attach some port need for ISE.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Thu, 30 Jun 2022 13:06:36 GMT

We allow all traffic over the tunnel between our two networks.

Collected some more debugs, seems that when a DACL is applied it cycles between Access Challenge and Access Request.

10.241.100.15 is the Access Switch and 10.241.100.15 is the ISE server.

With no DACL:

11:22:14.559669 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 345: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x57 length: 301
11:22:14.831033 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 201: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Accept (2), id: 0x57 length: 157
11:22:14.844121 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 370: 10.240.100.15.58557 > 10.241.100.15.1646: RADIUS, Accounting Request (4), id: 0xe8 length: 326
11:22:15.099517 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 64: 10.241.100.15.1646 > 10.240.100.15.58557: RADIUS, Accounting Response (5), id: 0xe8 length: 20
11:22:17.039674 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 400: 10.240.100.15.58557 > 10.241.100.15.1646: RADIUS, Accounting Request (4), id: 0xe9 length: 356
11:22:17.294920 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 64: 10.241.100.15.1646 > 10.240.100.15.58557: RADIUS, Accounting Response (5), id: 0xe9 length: 20

With DACL in Auth Profile:

11:20:54.543484 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 378: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x4b length: 334
11:20:54.799208 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 173: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x4b length: 129
11:20:54.804109 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 599: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x4c length: 555
11:20:55.057090 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 1185: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x4c length: 1141
11:20:55.061545 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x4d length: 389
11:20:55.315242 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 1181: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x4d length: 1137
11:20:55.320105 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x4e length: 389
11:20:55.573136 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 1181: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x4e length: 1137
11:20:55.583272 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x4f length: 389
11:20:55.837131 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 1181: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x4f length: 1137
11:20:55.841461 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x50 length: 389
11:20:56.096419 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 1181: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x50 length: 1137
11:20:56.100885 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x51 length: 389
11:20:56.355026 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 200: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x51 length: 156
11:20:56.363536 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 1412: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x52 length: 1368
11:20:56.363596 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 553: 10.240.100.15 > 10.241.100.15: udp
11:20:56.617143 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 173: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x52 length: 129
11:20:56.621672 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 1412: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x53 length: 1368
11:20:56.621725 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 553: 10.240.100.15 > 10.241.100.15: udp
11:20:56.875091 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 173: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x53 length: 129
11:20:56.879808 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 1412: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x54 length: 1368
11:20:56.879859 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 452: 10.240.100.15 > 10.241.100.15: udp
11:20:57.147458 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 264: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Challenge (11), id: 0x54 length: 220
11:20:57.154941 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 433: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x55 length: 389
11:20:57.465109 Out 00:1c:7f:80:aa:e4 ethertype IPv4 (0x0800), length 443: 10.241.100.15.1645 > 10.240.100.15.58417: RADIUS, Access Accept (2), id: 0x55 length: 399
11:20:57.472961 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 190: 10.240.100.15.58417 > 10.241.100.15.1645: RADIUS, Access Request (1), id: 0x56 length: 146
11:21:02.472703 In 00:42:5a:ff:9b:e2 ethertype IPv4 (0x0800), length 190: 10.240.100.15.58417 > 10.193.185.220.1645: RADIUS, Access Request (1), id: 0x56 length: 146

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Thu, 30 Jun 2022 13:31:27 GMT

aaa server radius dynamic-author <- do you add this command to SW?

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Thu, 30 Jun 2022 14:21:41 GMT

Idid not have that command, I added it but no difference.

This is my AAA config:

aaa new-model
!
aaa group server radius ISER
server-private A.B.C.D key 7 045F0E251vvvvv31
server-private A.B.C.D key 7 070B24vvvvvv102F
ip radius source-interface Vlan0x0
!
aaa authentication login default group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group ISER
aaa authorization network default group ISER
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISER
aaa accounting commands 0 default stop-only group ISE
aaa accounting commands 1 default stop-only group ISE
aaa accounting commands 15 default stop-only group ISE
!
aaa server radius dynamic-author
!
aaa session-id common

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Thu, 30 Jun 2022 15:16:54 GMT

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-10/sec-usr-aaa-xe-16-10-book/sec-rad-coa.pdf

check this guide there are some command you need to add to make CoA work.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Thu, 30 Jun 2022 15:51:09 GMT

CoA works just fine for all sites except this one.

I have other sites that use DACL's without any issue, some have a local ISE server and some use an ISE server behind a DMVPN tunnel.

This site is the only one behind a Checkpoint P2P tunnel and we cannot get the CoA to work over this tunnel.

We do not have dynamic-author configured in any other site, but for due diligence I added the dynamic-author to this site, unfortunately it did not make any difference.

Seems when we add a DACL to the mix for this site it never gets past the Access Request - Access Challenge - Access Request loop.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

iancresswell — Mon, 04 Jul 2022 15:28:11 GMT

I have been doing more discovery with this and I can get it to work but not consistently.

First I took the Standard PERMIT_ALL_TRAFFIC DACL and applied that to the Auth Profile, this allowed the client to connect, was authorized and downloaded the "permit ip any any" DACL

I then made a copy of the PERMIT_ALL_TRAFFIC DACL, renamed it to what I want for my DACL and applied this DACL to the Auth Profile, again I was able to connect and get authorized.

So I then decided to edit the DACL I had just copied and add all the DACL entries I need to protect my network, this also allowed the client to connect, was authorized and downloaded the full DACL.

So I then left it for 5 - 10 minutes, shut and no shut the port and then I was back to the original problem, unauthorized and not downloading the DACL. (sometimes I can reset the port 5 or 10 times but then at some point it will go to unauthorized)

I then found if I change the DACL, even slightly and then reset the port, it will work successfully but then if I reset the port again it will no longer work unless I modify the DACL again.

So I guess what confuises me the most is that it works for a while but will always revert back to unauthorized and only a change to the contents of the DACL will get it to authorize once it has failed.

Re: ISE DACL does not allow host to obtain DHCP address from cisco swi

MHM Cisco World — Mon, 04 Jul 2022 16:09:35 GMT

just one Q may be I am wrong
but CoA use in case of auth client and then use another auth process for client and hence we need CoA to not authz the client for first auth.

you mention that other site work with out CoA command I mention before are they even use CoA.