topic Re: Switch No Longer Honors DACL in Network Access Control

Switch No Longer Honors DACL

ryanbess — Fri, 30 Aug 2024 17:43:23 GMT

HI all,

I have a cisco switch that no longer gets DACL's from ISE. I've tested radius connectivity and all is fine. When doing a pcap off the PSN i see the name of the DACL called "BLAH" (makes it easy to search for in PCAPS) but i never see the PSN sending the appropriate AV pairs. I've tried removing the switch from ISE and adding it back. The device profile is set to Cisco. Been following https://community.cisco.com/t5/security-blogs/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/ba-p/4461339 to help me understand more but I'm at a loss to what config in ISE is wrong.

Any help is appreciated.

Re: Switch No Longer Honors DACL

MHM Cisco World — Fri, 30 Aug 2024 17:51:20 GMT

Hi friend

Can I see

Show authentication session interface x/x detail

Show ip access-list

Share both

Also what is SW platform you have ?

MHM

Re: Switch No Longer Honors DACL

ryanbess — Fri, 30 Aug 2024 18:07:17 GMT

Here you go and thanks. This used to work so trying to learn what i broke.

physical#
physical#show version
Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 09:53 by prod_rel_team

physical#show auth ses int gi0/4 det
Interface: GigabitEthernet0/4
MAC Address: 5000.0004.0000
IPv6 Address: Unknown
IPv4 Address: 172.16.253.10
User-Name: host/Sub-Win11-01.sub.lab.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 181s
Common Session ID: AC10FD030000003301376F54
Acct Session ID: 0x00000028
Handle: 0x93000017
Current Policy: POLICY_Gi0/4

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

Method status list:
Method State

dot1x Authc Success

physical#sho ip access-lists
Extended IP access list ACL-ALLOW
10 permit ip any any
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain
20 permit tcp any any eq www
30 permit tcp any any eq 443
Extended IP access list POSTURE-REDIRECT
10 deny udp any any eq domain bootps
20 permit tcp any any eq www
Extended IP access list POSTURE-REDIRECT-ACL
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny tcp any host 172.16.255.102
50 deny tcp any host 172.16.255.104
60 permit tcp any any eq www
Extended IP access list POSTURE-REDIRECTION-ACL
10 permit ip any any
Role-based IP access list Permit IP-00 (downloaded)
10 permit ip
Role-based IP access list Permit_IP_Log-00 (downloaded)
10 permit ip log (4 matches)
Extended IP access list RYAN
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny tcp any host 172.16.255.102 eq 8443
50 deny tcp any host 172.16.255.104 eq 8443
60 permit tcp any any eq www
70 deny tcp any any eq 445
80 deny udp any host 172.16.255.102 eq 8443
90 deny udp any host 172.16.255.104 eq 8443
100 permit ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any

Re: Switch No Longer Honors DACL

MHM Cisco World — Fri, 30 Aug 2024 18:12:22 GMT

The port is authz' did yoh config any pre-auth acl?

MHM

Re: Switch No Longer Honors DACL

ryanbess — Fri, 30 Aug 2024 18:13:52 GMT

no preauth ACL

Re: Switch No Longer Honors DACL

MHM Cisco World — Fri, 30 Aug 2024 18:39:30 GMT

The davl is send by ISE as attribute.

Did you config aaa authz network....?

MHM

Re: Switch No Longer Honors DACL

ryanbess — Fri, 30 Aug 2024 19:35:54 GMT

yes and in ISE we see the DACL being mentioned. I realize its not the same session but we can see it. What i'm learning is i NEVER see the switch asking for the configs of the DACL...as to why, got me.

Re: Switch No Longer Honors DACL

MHM Cisco World — Fri, 30 Aug 2024 21:30:30 GMT

The SW not send ask for dacl in separate packet

The dacl is send from ISE to SW with access-accept (see type in wireshark ypu share)

Now SW receive dacl but not use it.

Change host mode from multi-auth into single-host

MHM

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 10:19:53 GMT

Morning. I have another port on same switch that is in single-host....same behavior.

physical#show auth ses int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 5000.0008.0000
IPv6 Address: Unknown
IPv4 Address: 172.16.253.5
User-Name: host/Sub-Win11P-01.sub.lab.com
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 246s
Common Session ID: AC10FD030000000E0001531B
Acct Session ID: 0x00000005
Handle: 0x26000001
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

Method status list:
Method State

dot1x Authc Success

Re: Switch No Longer Honors DACL

MHM Cisco World — Sat, 31 Aug 2024 12:15:03 GMT

In wireshark AVP (26) is missing

Are you sure you add ACL in

Downloadable ACL list <<- in ISE?

MHM

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 13:44:04 GMT

yup its in there...it's the oddest thing.

Re: Switch No Longer Honors DACL

MHM Cisco World — Sat, 31 Aug 2024 14:01:18 GMT

In pcaps (wiresharke) do you see avp 26 and when you open it (avp 26) you see permit/deny lines?

MHM

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 14:17:27 GMT

Nope i don't. I've searched for them as well. Here's the switch config.

physical#show running-config
Building configuration...

Current configuration : 6353 bytes
!
! Last configuration change at 14:54:38 UTC Fri Aug 30 2024 by ryan
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname physical
!
boot-start-marker
boot-end-marker
!
logging buffered 512000
enable password password
!
username ryan privilege 15 password 0 password
aaa new-model
!
!
aaa group server radius ise-group
server name ise-102
server name ise-104
ip radius source-interface Vlan1
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network CTSLIST group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.255.104 server-key Iseradius
client 172.16.255.102 server-key Iseradius
!
aaa session-id common
system mtu routing 1500
!
!
!
!
!
!
no ip domain-lookup
ip domain-name sub.lab.com
ip name-server 172.16.255.240
ip device tracking probe auto-source
!
!
!
!
!
!
!
cts server test all idle-time 1
cts server test all deadtime 5
cts authorization list CTSLIST
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
description Win11-1
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description Win11-2
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
switchport mode access
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface Vlan1
ip address 172.16.253.3 255.255.255.0
!
ip default-gateway 172.16.253.1
ip forward-protocol nd
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip route 0.0.0.0 0.0.0.0 172.16.253.1
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domai
remark Ping
permit icmp any any
remark PXE / tftp
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
remark Drop all the rest
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly deny DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect all applicable traffic to the ISE server
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended POSTURE-REDIRECT
deny udp any any eq domain bootps
permit tcp any any eq www
ip access-list extended POSTURE-REDIRECT-ACL
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102
deny tcp any host 172.16.255.104
permit tcp any any eq www
ip access-list extended POSTURE-REDIRECTION-ACL
permit ip any any
ip access-list extended RYAN
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102 eq 8443
deny tcp any host 172.16.255.104 eq 8443
permit tcp any any eq www
deny tcp any any eq 445
deny udp any host 172.16.255.102 eq 8443
deny udp any host 172.16.255.104 eq 8443
permit ip any any
!
!
ip radius source-interface Vlan1
!
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 3
!
radius server ise-104
address ipv4 172.16.255.104 auth-port 1812 acct-port 1813
pac key Iseradius
!
radius server ise-102
address ipv4 172.16.255.102 auth-port 1812 acct-port 1813
pac key Iseradius
!
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 240 0
transport input ssh
line vty 5 15
!
!
end

Re: Switch No Longer Honors DACL

MHM Cisco World — Sat, 31 Aug 2024 14:31:51 GMT

So the ISE send only name without AVP 26 (permit/deny line)

I guess issue in ISE then'

Make new ACL called it permit and add only one line permit ip any any lastly use ACL permit in authz policy (this step must be after you add new ACL not before it)

And then checking again

Re: Switch No Longer Honors DACL

Rob Ingram — Sat, 31 Aug 2024 14:45:42 GMT

@ryanbess the switch is not requesting to download the DACL from ISE because authorisation configuration is missing for the default method list (same method list you use for dot1x authentication). Your authorisation method list "CTSLIST" is related to trustsec.

Configure authorisation for the default method list:-

aaa authorization network default group ise-group

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 15:09:17 GMT

you the man! that fixed it.

I guess i now need to make a list for cts authorization list CTSLIST...not sure how the switch would know what ips are in this list (still learning)

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 17:23:40 GMT

Rob, what am i missing. In the link https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html

it says to do as i previously had. .

Usage Guidelines

This command is only for the seed device. Non-seed devices obtain the TrustSec AAA server list from their TrustSec authenticator peer as a component of their TrustSec environment data.

Examples

The following example displays an AAA configuration of a TrustSec seed device:

Switch# cts credentials id Switch1 password Cisco123 Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# aaa authorization network MLIST group radius Switch(config)# cts authorization list MLIST Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234 Switch(config)# radius-server vsa send authentication Switch(config)# dot1x system-auth-control Switch(config)# exit

Re: Switch No Longer Honors DACL

Rob Ingram — Sat, 31 Aug 2024 17:30:33 GMT

@ryanbess can you confirm what is the problem in regard to the trustsec specific configuration? Or is this still a problem with DACLs?

Re: Switch No Longer Honors DACL

ryanbess — Sat, 31 Aug 2024 18:21:29 GMT

When i put it back to aaa authorization network default group ise-group, now CTS stuff doesn't work. For example i can't download new environmental data.

Re: Switch No Longer Honors DACL

Rob Ingram — Sat, 31 Aug 2024 18:36:51 GMT

@ryanbess you need both method lists, the CTSMLIST must be then referenced with the cts authorization list CTSMLIST command. If you still have a problem, provide your updated configuration.

FYI, it's not recommended nor necessary to use DACLs if you are using TrustSec SGT at the sametime..