Hi guys,
I try to understand something about Authorization Policy and implement it on my Lab
I have Lab environment in GNS3 that I connect to physical switch c3750,
On that switch I setup the port Fa2/0/7 as follow:
interface FastEthernet2/0/7
switchport mode access
ip access-group SAMPLE-ACL in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And the ACL is:
Extended IP access list SAMPLE-ACL
10 deny icmp any host 8.8.8.8
20 permit ip any any (74 matches)
In the Authorization Policy I try to implement policy that accept Wired MAB and base on the MAC implement some ACL that permit 8.8.8.8
It doesn't work and the switch doesn't get my ACL...:\
On Policy Element>Authorization Profiles, I add a new Authorization Profile named "Our_Author_profile" and in the Access Type I selected ACCESS_ACCEPT and in Common Tasks >DACL name I selected the PERMIT_ALL_TRAFFIC and save the change.
On "Policy>Authorization>Authorization Policy I add a new rule named "MAC and AD users Auth" in the conditions I setup the follow:
On the the port Fa2/0/7 I get 3 MAC's, 1-for the win7 PC and more two (that arrived from my virtual interfaces that I make on my machine [linux])
how can I force the ISE to implement the DACL on port 2/0/7?
Why it doesn't work for me?
The authorization success on the port but the ACL doesn't implement on my switch.
Accepted Solutions
Hi guys!
Big thanks so much!!
I had some rule (policy>authorization) that was before my rule named "Basic_Authentication_Access" with "PermitAccess" and my device authorize by that rule and not my the rule that I make:
So I delete my rule and on the "Basic_Authentication_Access" I change the Permissions to "Out_Author_profile" that apply DACL (PERMIT_ALL_TRAFFIC),
On my switch (c3750) I apply some ACL that reject ICMP to 8.8.8.8 on the interface 2/0/8,
And at the time I have some ping test to 8.8.8.8 (which failed because of the SAMPLE-ACL that reject it) and I reconnect to the network using native supplicate with the user "bob", and as I succeeded to authenticate the switch get my dACL and the ping test was succeeded!:]
And now at-lest I can see the applying ACL!!:]
Cheers!!!:]
Hi Hosuk,
Thanks for reply
I can't see any ACL that I tried to apply via the comman 'show ip access-list interface fastethernet 2/0/7'
I started to read your document! and it's look great!!:]
Thanks again:]
I setup again DACL, and the results are the same, the ACL doesn't implemented on my switch..
What I missed?
Is ip device tracking configured? If yes can you see anything with show ip device tracking all
You could try to add the epm logging command that give you some dACL related messages.
And also debug epm for more info.
And if the ACL syntax is wrong the switch will ignore it, but you probably verified it in ISE (a bigger problem before 
)
Quick edit: See Hosuk's link Universal Switch Config. If I remember right, there are some information about epm logging there
Hi guys!
Big thanks so much!!
I had some rule (policy>authorization) that was before my rule named "Basic_Authentication_Access" with "PermitAccess" and my device authorize by that rule and not my the rule that I make:
So I delete my rule and on the "Basic_Authentication_Access" I change the Permissions to "Out_Author_profile" that apply DACL (PERMIT_ALL_TRAFFIC),
On my switch (c3750) I apply some ACL that reject ICMP to 8.8.8.8 on the interface 2/0/8,
And at the time I have some ping test to 8.8.8.8 (which failed because of the SAMPLE-ACL that reject it) and I reconnect to the network using native supplicate with the user "bob", and as I succeeded to authenticate the switch get my dACL and the ping test was succeeded!:]
And now at-lest I can see the applying ACL!!:]
Cheers!!!:]
