topic Re: dACL only works after a clear access-session in Network Access Control

dACL only works after a clear access-session

User42 — Wed, 30 Oct 2024 08:42:41 GMT

ISE: 3.2 Patch 4

Switch: C9300-48P mit IOS XE 17.09.04a

Without dACL:

Authorization Policy Result

Result: Access-Accept

Vlan: 12

Device gets plugged in:

ISE:

Correct Policy and correct result

Switch:

Client Authorized, vlan 12

Client:

ping a.a.a.a -> successfull

ping b.b.b.b -> successfull

With dACL:

Authorization Policy Result

Result: Access-Accept

Vlan: 12

dACL:

permit ip any host a.a.a.a

deny ip any any

Device Plugged in:

ISE:

Correct Policy, correct result and dACL Download successful

Switch:

Client Authorized, vlan 12, dACL download complete and mapped to interface

Client:

ping a.a.a.a -> not successfull

ping b.b.b.b -> not successfull

If I clear the access-session with clear access-session on the switch:

ISE:

Correct Policy, correct result and dACL Download successful

Switch:

Client Authorized, vlan 12, dACL download complete and mapped to interface

Client:

ping a.a.a.a -> successfull

ping b.b.b.b -> not successfull

If the client is unplugged and plugged in again, the ping tests are again unsuccessful.

The dACL only seems to work correctly after a clear access session.

I looked in Cisco's BST but didn't find anything.

Does anyone have an idea?

Re: dACL only works after a clear access-session

Flavio Miranda — Wed, 30 Oct 2024 09:17:37 GMT

@User42

I believe this is an expect behavior and you need to use CoA to overcome this. Take a look on the below thread and there are lots of similar threads here in the forum.

https://community.cisco.com/t5/network-access-control/coa-session-reauth-required-after-successful-authentication/td-p/4158220

Re: dACL only works after a clear access-session

User42 — Wed, 30 Oct 2024 09:23:50 GMT

I think here it is another problem because I'm not speaking of Guest Access.
These Clients I described authenticate with dot1x EAP-TLS.

Re: dACL only works after a clear access-session

MHM Cisco World — Wed, 30 Oct 2024 09:27:29 GMT

permit ip any host a.a.a.a <<- remove this

Add

Permit ip any any <<-

And let device tracking adjust any

MHM

Re: dACL only works after a clear access-session

Mark Elsen — Wed, 30 Oct 2024 09:31:24 GMT

- Here are a number of related bugs with DACL , which include your ISE version :
https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&prdNam=Cisco%20Identity%20Services%20Engine%203.2&kw=dacl%203.2&bt=custV&sb=anfr

Check if anything related comes up ; it's probably advisable to test with the latest patch for ISE 3.2 (p7)

Re: dACL only works after a clear access-session

User42 — Wed, 30 Oct 2024 09:31:34 GMT

Thanks for the reply!
With permit ip any any it works.
But then I cloud just use no dACL

The Goal is this:

ping a.a.a.a -> successfull

ping b.b.b.b -> not successfull

I want that the Client only can reach his server.

Re: dACL only works after a clear access-session

Cristian Matei — Wed, 30 Oct 2024 21:49:25 GMT

Hi,

I would check for dACL related bugs on that ISE version. Second, do you have "epm logging" to validate that dACL is actually correctly applied on the port via "show logging"?

Best,

Cristian.

Re: dACL only works after a clear access-session

MHM Cisco World — Thu, 31 Oct 2024 06:17:32 GMT

This issue' how ISE know that this is user a.a.a.a or user b.b.b.b to assign correct dacl?

Instead push in dacl permit ip any any

And try use ACL in port connect to server or use vlan access list.

MHM

Re: dACL only works after a clear access-session

User42 — Thu, 31 Oct 2024 06:48:56 GMT

Hi Together

Thanks for the many replies!
I found the problem (It's a stupid fault from my site)
The Clients couldn't get any ip address. In the ACL I allow connection to the dhcp.
But for dhcp the Client tries with a broadcast address.

I just hat to add: permit udp any any eq 67.

I didn't saw it first because this devices only has a web UI (which wasn't reachable)
Also there APIPPA Looks like the old address from the dhcp a.a.20.13 -> 169.254.20.13

I really appreciate your help and I am sorry for your loss of time.

Re: dACL only works after a clear access-session

Cristian Matei — Thu, 31 Oct 2024 08:16:20 GMT

Hi,

By enabling the logging i've recommended, you would have seen that dACL was not actually applied because hosts had no IP address that switch can make use of before applying the dACL.

Good you fixed it.

Best,

Cristian.

Re: dACL only works after a clear access-session

MHM Cisco World — Thu, 31 Oct 2024 07:45:28 GMT

with respect to your solution

how ISE know this endpoint is a.a.a.a or b.b.b.b

this can only done via dhcp profiling

MHM