Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1860
Views
0
Helpful
2
Replies

Downloadable ACL not working ISE 2.1

Go to solution
Ruelb2214
Level 1
Level 1

‎05-12-2019 08:28 PM - edited ‎02-21-2020 11:05 AM

Hi guys,

 

Any one experience dacl not working in version ISE 2.1?

 

we want to block ftp/21 port in one of our printer subnet, so we use dacl to implement it! After we bounce the port and device go through MAB we still able to telnet to printer subnet although it says deny in ACL. Below the config for your reference.

 

interface GigabitEthernet1/21
 description PRINTER
 switchport access vlan 104
 switchport mode access
 ip access-group ACL-DEFAULT in
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 104
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 2
 storm-control broadcast level 1.00 0.50
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip dhcp snooping limit rate 30
end


#sh ip access-lists int g1/21
     deny tcp host 10.67.38.18 any eq ftp
     deny udp host 10.67.38.18 any eq 21
     deny tcp host 10.67.38.18 any eq 3389
     deny udp host 10.67.38.18 any eq 3389
     permit ip host 10.67.38.18 10.0.0.0 0.255.255.255
     permit ip host 10.67.38.18 10.240.48.0 0.0.0.255
     deny ip host 10.67.38.18 any

#sho authentication sessions interface g1/21
            Interface:  GigabitEthernet1/21
          MAC Address:  001b.78f2.13e4
           IP Address:  10.67.38.18
            User-Name:  00-1B-78-F2-13-E4
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PRINTER_ACL-5cbfd066
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A4320150003AD782BD7E3F2
      Acct Session ID:  0x00043A5F
               Handle:  0x060004F0

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-13-2019 05:30 AM

dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-13-2019 05:30 AM

dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14

 

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1
In response to howon

‎05-20-2019 08:49 PM

OK..will try it.

 

Will update this thread later

0 Helpful
Customers Also Viewed These Support Documents