Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5728
Views
5
Helpful
7
Replies

Cisco ISE pushs DACL but switch port doesn't take it

Go to solution
antonioyan99
Level 1
Level 1

‎03-17-2019 11:06 AM

Hi Cisco ISE guru,

 

I ran into a weird scenario for an ISE deployment,   I have deployed about 700 endpoint into enforcement mode(low impact).

2 endpoints passes dot1x auth/authorization and the session receives "permit ip any any" DACL, the dacl shows up in the output of command " show access-session interface g1/x/x detail" , but the endpoint  still don't have access to the network.

only if the pre-auth-acl is removed from this switch port then the network access restores.

 

I have tried to move one of the endpoint to another spare port ( with pre-auth-acl) and the issue seems to be resolved.

I have asked the client to reboot the switch to see if this could fix the issue, but it will take some time for approval.

Has anyone ran into same issue?  Is this a switch bug related?

 

Thanks.

 

 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to michanna

‎10-07-2019 08:30 PM

There have been a couple bugs discovered since this posting. Your issue might be different depending on the IOS release you are on. If you are on 16.6 then there are two potential issues.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn81334
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq17759

You're best to open a TAC case to ensure you are not facing a different issue.

View solution in original post

7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-17-2019 12:55 PM

Provide us your port config, switch model, and IOS version, there have been some bugs in the past with DACLs but generally they work. It seems odd that the same switch but different port is working.

One thing that comes to mind is that IP device tracking might not be working correctly. If IPDT doesn't work, the DACL won't work. If you can recreate the issue, see if the IPDT database has an IP recorded for the endpoint.
0 Helpful

Go to solution
antonioyan99
Level 1
Level 1
In response to Damien Miller

‎03-17-2019 04:46 PM - edited ‎03-18-2019 07:59 AM

Here is the global config and port level config: 

policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 terminate dot1x
50 terminate mab
60 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!

###switch port configuration
interface range gi1/0/1 - 46

device-tracking attach-policy otppipdt_policy
ip access-group Pre-Auth-ACL in
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy type control subscriber DOT1X-DEFAULT

 

The switch is C3850 and the IOS is IXE-16.6.4.

I am using 'device-tracking policy' command for  IP tracking and it is working fine.

 

Thanks.

0 Helpful

Go to solution
michanna
Level 1
Level 1

‎10-07-2019 02:31 PM

I seem to have the same issue. Only the ACL-Default access list shows as applied.

0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to michanna

‎10-07-2019 03:12 PM

I saw the same issue at a customer last week, on C3850 IOS 16.09.04.

The interface has a pre-AuthC pACL, but refuses the dACL pushed by ISE, upon successful MAB authentication. I turned on debug radius authentication and saw the same error messages that are listed on Cisco bug report CSCvr13213:

068083: Aug 26 201909:54:47.272 UTC: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (0023.247e.5b91) on Interface GigabitEthernet1/0/3 AuditSessionID EEEBEC0A000077EDCD1FE915.

 

However, our circumstances were different:  we saw that error with a simple MAB authentication (the bug report is about CWA not accepting the redirect-acl).  I applied the fix recommended in the bug report, but it didn't fix the issue at the customer.  Cisco engs are there this week, for hopefully, the customer will let me know if prob was fixed.

0 Helpful

Go to solution
michanna
Level 1
Level 1
In response to cpaquet

‎10-07-2019 03:31 PM

Thanks, I will check out that bug notice.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to michanna

‎10-07-2019 08:30 PM

There have been a couple bugs discovered since this posting. Your issue might be different depending on the IOS release you are on. If you are on 16.6 then there are two potential issues.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn81334
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq17759

You're best to open a TAC case to ensure you are not facing a different issue.

Go to solution
tauk
Level 1
Level 1

‎10-14-2020 05:23 PM

Hi,

 

I had the same issue which got resolved by applying the command on the switch

radius-server vsa send authentication

In my debug radius -> I could see the DACL being downloaded!

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents