05-12-2019 08:28 PM - edited 02-21-2020 11:05 AM
Hi guys,
Any one experience dacl not working in version ISE 2.1?
we want to block ftp/21 port in one of our printer subnet, so we use dacl to implement it! After we bounce the port and device go through MAB we still able to telnet to printer subnet although it says deny in ACL. Below the config for your reference.
interface GigabitEthernet1/21 description PRINTER switchport access vlan 104 switchport mode access ip access-group ACL-DEFAULT in authentication control-direction in authentication event fail action next-method authentication event server dead action authorize vlan 104 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 dot1x timeout supp-timeout 2 storm-control broadcast level 1.00 0.50 spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root ip dhcp snooping limit rate 30 end #sh ip access-lists int g1/21 deny tcp host 10.67.38.18 any eq ftp deny udp host 10.67.38.18 any eq 21 deny tcp host 10.67.38.18 any eq 3389 deny udp host 10.67.38.18 any eq 3389 permit ip host 10.67.38.18 10.0.0.0 0.255.255.255 permit ip host 10.67.38.18 10.240.48.0 0.0.0.255 deny ip host 10.67.38.18 any #sho authentication sessions interface g1/21 Interface: GigabitEthernet1/21 MAC Address: 001b.78f2.13e4 IP Address: 10.67.38.18 User-Name: 00-1B-78-F2-13-E4 Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: in Authorized By: Authentication Server Vlan Policy: N/A ACS ACL: xACSACLx-IP-PRINTER_ACL-5cbfd066 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A4320150003AD782BD7E3F2 Acct Session ID: 0x00043A5F Handle: 0x060004F0 Runnable methods list: Method State dot1x Failed over mab Authc Success
Solved! Go to Solution.
05-13-2019 05:30 AM
dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14
05-13-2019 05:30 AM
dACL is always applied inbound. Please try other ACL type such as per-user ACL method for outbound access control:
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html#anc14
05-20-2019 08:49 PM
OK..will try it.
Will update this thread later
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide