topic Cisco ISE dACL won't apply to the port in Network Access Control

Cisco ISE dACL won't apply to the port

radumihai — Fri, 10 Nov 2023 13:43:36 GMT

Hello,

I'm struggling to configure a switchport to use a dACL configured on Cisco ISE.

Environment:

Cisco ISE 3.1.0.518 (VM in VMWare)
vios_l2-ADVENTERPRISEK9-M), Version 15.2(4 .0.55)E (inside EVE-NG)
Ubuntu Desktop (inside EVE-NG)

Switch Config

aaa new-model

dot1x system-auth-control

radius server ISER1

address ipv4 192.168.183.51 auth-port 1812 acct-port 1813

key radiuskey

aaa group server radius ISEG1

server name ISER1

ip radius source-interface Vlan1

aaa authentication dot1x default group ISEG1

aaa authorization network default group ISEG1

aaa accounting dot1x default start-stop group ISEG1

radius-server vsa send authentication

radius-server vsa send accounting

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

ip device tracking

ip device tracking probe delay 10

ip dhcp snooping

ip dhcp snooping vlan 10

ip dhcp snooping vlan 2

no ip dhcp snooping information option

interface GigabitEthernet0/3 // Connected to PC

switchport mode access

switchport access vlan 2

spanning-tree portfast

dot1x pae authenticator

authentication port-control auto

interface GigabitEthernet0/0 // Uplink

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping trust

Cisco ISE Configuration

the switch is configured in Network Devices
local users configured in Identities/ Network Access Users
rules configured for 802.1X authentication and authorization
authorization profile configured for VLAN assignment and/or dACL

Just with VLAN assignment and current configuration everything seems to work fine. The port starts in VLAN2, authentication and authorization occur, the port is moved to VLAN10, it gets an IP via DHCP from VLAN10 and it has full connectivity.

Switch(config)#do show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 10
---------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
---------------------------------------------------------------------------------------
10.100.10.4 0050.0000.0f00 10 GigabitEthernet0/3 30 ACTIVE ARP

If I configure the authorization profile to also push a default dACL (for example PERMIT_ALL_IPV4_TRAFFIC) the switch receives from the ISE RADIUS Access-Accept and it downloads the dACL but it sends back to the user EAP - Failure. The supplicant tries again, same result and it gives up at some point. There is no entry in show ip device tracking all.

If I configure to push a custom dACL the AAA process is successful, the supplicant receives the EAP - Success message, it gets an IP address from VLAN10, but it is put in VLAN2 according to the show ip device tracking and there is no connectivity.

Switch(config-if)#do show ip device tracking all
-------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-------------------------------------------------------------
10.100.10.4 0050.0000.0f00 2 GigabitEthernet0/3 30 ACTIVE ARP

If i configure just the dACL authorization (doesn't matter what kind of dACL is used), the ISE server sends RADIUS Access-Accept for network access and dACL download but the switch sends EAP-Failure to the supplicant.

What could be the problem? I'm not sure if this behavior is caused by my configuration and there is something wrong with it or is caused by the the fact that the switch is virtual, inside EVE-NG, inside VMWare.

Thanks in advanced,

Radu

Re: Cisco ISE dACL won't apply to the port

Arne Bier — Sun, 12 Nov 2023 22:35:23 GMT

Sounds like a groovy lab setup you have there. As much as I love the idea of vios_l2, I always find something about it that seems unreliable and incomplete. I wish Cisco did more updates on it. I suspect it's a race condition.

Have you tried to NOT switch the VLAN, and then see if the dACL is applied correctly?

BTW, you can see the programming of the ACLs on the interface (how the combination of port ACL and dACL looks)

show platform software fed switch 1 acl interface | begin <MAC-address>

Might not work on vios perhaps.

Re: Cisco ISE dACL won't apply to the port

radumihai — Mon, 13 Nov 2023 08:27:38 GMT

Hi Arne

Thanks for your input. I have tried not to switch the VLAN and just apply a dACL. Unfortunately, it doesn't work either. The ISE servers sends Access Accept, the switch sends a request for the dACL and it is also downloaded (according to ISE Live Logs and packet captures) but the switch sends back to the supplicant EAP-Failure.

Re: Cisco ISE dACL won't apply to the port

Aref Alsouqi — Mon, 13 Nov 2023 09:49:14 GMT

Do you have CoA configured on the switch?

Re: Cisco ISE dACL won't apply to the port

radumihai — Mon, 13 Nov 2023 11:02:21 GMT

Hi Aref,

No, I didn't at the moment. By configuring CoA on the switch I managed to see some differences but overall it is not working.

Using CoA and a default dACL (permit ip any any) the supplicant obtains from the switch EAP-Success, it manages to get an IP from the DHCP server (acording to the VLAN assigned using the authorization profile) but any other traffic is not allowed through the port.

Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005A195797DE
Acct Session ID: 0x00000034
Handle: 0x4800003C
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Method status list:
Method State
dot1x Authc Success

Using CoA and a custom dACL the switchport sends EAP Failure even if the ISE server sent an accept.

Just with a VLAN change configured, everything seems to work fine.

Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005819538DF2
Acct Session ID: 0x00000033
Handle: 0x0D00003A
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

Method status list:

Method State
dot1x Authc Success

Re: Cisco ISE dACL won't apply to the port

Aref Alsouqi — Mon, 13 Nov 2023 11:27:47 GMT

I can't see the dACL reference on the output you shared. Did you enable CoA on the swtich properties in ISE?

Re: Cisco ISE dACL won't apply to the port

radumihai — Mon, 13 Nov 2023 13:11:17 GMT

How do i enable CoA for the switch in ISE?

I have configured the following on the switch in CLI and in ISE i have the device profile configured as Cisco and under RADIUS Authentication Settings is the CoA port configured for 1700

aaa server radius dynamic-author
client 192.168.183.51 server-key radiuskey

Re: Cisco ISE dACL won't apply to the port

Aref Alsouqi — Mon, 13 Nov 2023 14:01:01 GMT

It is part of the RADIUS settings in Network Devices in ISE, if you see CoA port 1700 next to the CoA port then that should be enough.

Re: Cisco ISE dACL won't apply to the port

Arne Bier — Mon, 13 Nov 2023 22:57:49 GMT

The sticking point seems to be the dACL. So let's return to our trusted reference guide, and I would suggest adding the following in this order:

1. Try adding this global command from the Deployment Guide (point 25.) - it wasn't 100% clear to me from the description what it does, but it might help

access-session acl default passthrough

2. If that alone doesn't fix it, then try the Low Impact Mode by defining a pre-auth ACL and assigning it to your interface.

ip access-list extended IPV4_PRE_AUTH_ACL permit udp any eq bootpc any eq bootps permit udp any any eq domain deny ip any any ! interface gigabitEthernet 0/3 ip access-group IPV4_PRE_AUTH_ACL in

Test the auth and monitor the cumulative effect with the show command

show ip access-list interface gig0/3