topic Re: Cisco dACL Not Applying on 2960X in Network Access Control

Cisco dACL Not Applying on 2960X

mharing — Tue, 07 Mar 2023 15:46:36 GMT

I'm trying to deploy a dACL from our RADIUS server, I see the dACL being received by the switch, but for some reason it's not present when I run "show ip access-list" or if I look at the access-lists applied to the interface. I also don't see it applied when checking the auth session details. Any suggestions on what I might be missing or what might be going on? My test switch is a little older version - 2960X Version 15.2(2)E3.

132966: Mar 7 10:16:52.909 EST: EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) has been started (status 2)
132967: Mar 7 10:16:52.909 EST: EPM_SESS_EVENT: Feature received has acl
132968: Mar 7 10:16:52.909 EST: EPM_SESS_ERR: *** Download in progress..
132969: Mar 7 10:16:52.909 EST: EPM_SESS_EVENT: Method list used for download is default
132970: Mar 7 10:16:52.909 EST: EPM_SESS_EVENT: Local Open Dir Received
132971: Mar 7 10:16:52.909 EST: EPM_SESS_EVENT: Feature received does not have acl
132972: Mar 7 10:16:52.912 EST: EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) Status (1) Notified
132973: Mar 7 10:16:52.912 EST: EPM_SESS_EVENT: Successful feature attrs provided for EPM ACL PLUG-IN
132977: Mar 7 10:16:52.947 EST: EPM_SESS_EVENT: Executed [ip access-list extended xACSACLx-IP-Cisco_dACL_Credit_Card-3314-6] command through parse_cmd. Result= 0
132978: Mar 7 10:16:52.951 EST: EPM_SESS_EVENT: Executed [1 permit udp any any eq bootpc] command through parse_cmd. Result= 0
132979: Mar 7 10:16:52.951 EST: EPM_SESS_EVENT: Executed [end] command through parse_cmd. Result= 0
132980: Mar 7 10:16:52.954 EST: EPM_SESS_EVENT: Executed [ip access-list extended xACSACLx-IP-Cisco_dACL_Credit_Card-3314-6] command through parse_cmd. Result= 0
132981: Mar 7 10:16:52.954 EST: EPM_SESS_EVENT: Executed [2 permit udp any any eq domain] command through parse_cmd. Result= 0
132982: Mar 7 10:16:52.958 EST: EPM_SESS_EVENT: Executed [end] command through parse_cmd. Result= 0
132980: Mar 7 10:16:52.954 EST: EPM_SESS_EVENT: Executed [ip access-list extended xACSACLx-IP-Cisco_dACL_Credit_Card-3314-6] command through parse_cmd. Result= 0
132981: Mar 7 10:16:52.954 EST: EPM_SESS_EVENT: Executed [3 permit ip any any] command through parse_cmd. Result= 0
132982: Mar 7 10:16:52.958 EST: EPM_SESS_EVENT: Executed [end] command through parse_cmd. Result= 0
133025: Mar 7 10:16:53.045 EST: EPM_SESS_EVENT: EPM_HA: Size of AAA attrlist 0x29001A8B = 984
133026: Mar 7 10:16:53.045 EST: EPM_SESS_EVENT: EPM_HA: AAA attrlist 0x29001A8B stored in buffer 0x564A375 with size 984
133027: Mar 7 10:16:53.045 EST: EPM_SESS_EVENT: IN ACL not configured, checking Default ACL
133028: Mar 7 10:16:53.048 EST: EPM_SESS_ERR: ACL xACSACLx-IP-Cisco_dACL_Credit_Card-3314-6 provisioning failed!
133029: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) Status (2) Notified
133030: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Successful feature attrs provided for EPM MISC PLUG-IN
133031: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Successful feature attrs provided for EPM ACL PLUG-IN
133032: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Successful feature attrs provided for SM Reauth Plugin
133033: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Successful feature attrs provided for EPM VLAN GROUP ASSIGNMENT
133034: Mar 7 10:16:53.048 EST: EPM_SESS_EVENT: Successful feature attrs provided for SM ACCOUNTING PLUG-IN
133035: Mar 7 10:16:53.052 EST: EPM_SESS_EVENT: Received IIF ID [0]
133036: Mar 7 10:16:53.066 EST: EPM_SESS_EVENT: Feature (EPM MISC PLUG-IN) has been terminated
133037: Mar 7 10:16:53.066 EST: EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) has been terminated
133038: Mar 7 10:16:53.066 EST: EPM_SESS_EVENT: Feature (SM Reauth Plugin) has been terminated
133039: Mar 7 10:16:53.066 EST: EPM_SESS_EVENT: Feature (EPM VLAN GROUP ASSIGNMENT) has been terminated
133040: Mar 7 10:16:53.066 EST: EPM_SESS_EVENT: Feature (SM ACCOUNTING PLUG-IN) has been terminated
133041: Mar 7 10:16:53.073 EST: EPM_SESS_ERR: *** Inside Cleanup action ***
K-11-Buildsw6#
133042: Mar 7 10:16:53.073 EST: EPM_SESS_EVENT: Un-Installing Named ACL xACSACLx-IP-Cisco_dACL_Credit_Card-3314-6 session_ctx 83E405C feat_ctx 83F4284 feat_conf 83D4260
133043: Mar 7 10:16:53.076 EST: EPM_SESS_EVENT: EPM_HA: Size of AAA attrlist 0xFB001A9C = 984
133044: Mar 7 10:16:53.076 EST: EPM_SESS_EVENT: EPM_HA: AAA attrlist 0xFB001A9C stored in buffer 0x5658859 with size 984
K-11-Buildsw6#
133045: Mar 7 10:16:53.622 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/17, changed state to up

Buildsw6#show auth sessions interface gigabitEthernet 1/0/17 details
Interface: GigabitEthernet1/0/17
MAC Address: 38ef.e37e.3275
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 38efe37e3275
Status: Unauthorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Common Session ID: 0A080A2C00000A7050BE706B
Acct Session ID: 0x00000A5C
Handle: 0xA900001A
Current Policy: POLICY_Gi1/0/17

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State
mab Authc Success

Buildsw6#

Buildsw6#show ip access-lists interface gigabitEthernet 1/0/17
Buildsw6#

Thanks.

Re: Cisco dACL Not Applying on 2960X

Rob Ingram — Tue, 07 Mar 2023 15:54:10 GMT

@mharing I note in your output there IPv4 address is unknown.

Do you have device tracking configured and working?

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

The device-tracking configuration is very critical to learn an endpoint’s IP address and map that to its network access session. The device-tracking configuration is also essential for many features, such as downloadable ACLs, device profiling, URL redirection, and more.

Re: Cisco dACL Not Applying on 2960X

MHM Cisco World — Tue, 07 Mar 2023 15:57:46 GMT

config PACL with same IP under the interface and add deny any any
then after dACL
check show ip access-list see if the dACL line add to PACL you config

Re: Cisco dACL Not Applying on 2960X

mharing — Tue, 07 Mar 2023 15:58:51 GMT

I do, but you're right it isn't showing properly for that specific client / port -

Buildsw6#show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 10
-----------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-----------------------------------------------------------------------------------------------

Total number interfaces enabled: 1
Enabled interfaces:
Gi1/0/17
Buildsw6#

Buildsw6#show ip device tracking interface gigabitEthernet 1/0/17
--------------------------------------------
Interface GigabitEthernet1/0/17 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IPv6 Device Tracking Client Registered Handle: 1
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_SM
--------------------------------------------

Buildsw6#

I'll check that documentation quick and make sure I didn't miss anything.

Re: Cisco dACL Not Applying on 2960X

mharing — Thu, 09 Mar 2023 15:07:09 GMT

Thank you all for the help, we were able to figure out the issue. The dACL we were pushing had some invalid lines that was preventing it from applying properly. First, the ACL is "in" only, and in such, the source must always be the connected device (or any which is what we used), second we needed to use wildcard masks, instead of CIDR or standard subnet mask, and finally, the protocols should be the actual port number and not the protocol name such as domain or bootpc. After correcting these in the dACL, it was applied successfully.

For reference, our NAC solution is Aruba ClearPass. Hopefully this helps someone else with the same issue!