Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3631
Views
0
Helpful
3
Replies

authentication control-direction in - Host stop working

Go to solution
Niklas.D
Level 1
Level 1

‎05-26-2020 11:51 PM - edited ‎05-26-2020 11:53 PM

So i was testing a new ACL and DACL, and notice that when made a shut and no shut, on the port where my lab host was at the machine would lose its  DHCP Adress, but after 10 secones it would regain the IP and then 1 sec later lose it again. 

 

this just repets. but when i remove the line authentication control-direction in it works fine. 

i have this line on all my Dot1x ports.

and this havent happend before. 

am i missing something when i am adding ACL/DACLs on the port? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Niklas.D

‎05-28-2020 06:27 AM

For Your Situational Awareness :)
IMO using this:
ip access-list extended Pre-ISE
permit icmp any any
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
Is going to allow a host to send pings (possible ping sweep) and bootp traffic. Remove the 'authentication control-direction in' and try with the Base_ACL I provided you. Run tests which include full onboarding (ie- normal authz network access & a rogue computer connection). Setup ISE default authz to push some sort of non-compliant dacl.

what i want is that so if a client would connect to my network that would be infected it would not be able to use vlan 32 to spread to other clients on that network. even if most other clients will be verified and move to another vlan.
-The Base_ACL will aide in deterring this situation should ISE connectivity be lost from the NAD. Ensure in ISE authz policies you have unique conditions so that any rogue computer will hit default. Hitting default policy should apply a non-compliant dacl and possibly move the rogue host into a blackhole. Good luck & HTH!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-27-2020 05:52 AM

FYSA
When you configure an interface as unidirectional via the <authentication control-direction in> command, the port changes to the spanning-tree forwarding state. The port can send packets to the host but cannot receive packets from the host.

When you configure a port as bidirectional via using the <authentication control-direction both> command, the port is access-controlled in both directions. The port does not receive packets from or send packets to the host.

Lastly, that command enables 802.1x authentication with the wake-on-LAN (WoL) feature.

Try creating an acl that gets applied to the interface, and is then overridden by the dacl received from ISE via authz profile.
ip access-group Base_ACL in
...
#sh ip access-lists Base_ACL
10 deny ip any any
Good luck & HTH!
0 Helpful

Go to solution
Niklas.D
Level 1
Level 1
In response to Mike.Cifelli

‎05-28-2020 12:02 AM

Hi Mike 

FYSA? i dont understand that one :) 

 

So i already have a ACL

 

interface GigabitEthernet0/2
description 802.1X
switchport access vlan 32
switchport mode access
switchport voice vlan 14
ip access-group Pre-ISE in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable

 

ip access-list extended Pre-ISE
permit icmp any any
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

 

(this is just a test ACL) 

 

And then i have a DACL that is a any any 

 

what i want is that so if a client would connect to my network that would be infected it would not be able to use vlan 32 to spread to other clients on that network. even if most other clients will be verified and move to another vlan. 

 

and that seems to kinda work. until in this LAB i connect a PC, and the PC keeps losing the connection 

 

until i remove the "authentication control-direction in" 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Niklas.D

‎05-28-2020 06:27 AM

For Your Situational Awareness :)
IMO using this:
ip access-list extended Pre-ISE
permit icmp any any
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
Is going to allow a host to send pings (possible ping sweep) and bootp traffic. Remove the 'authentication control-direction in' and try with the Base_ACL I provided you. Run tests which include full onboarding (ie- normal authz network access & a rogue computer connection). Setup ISE default authz to push some sort of non-compliant dacl.

what i want is that so if a client would connect to my network that would be infected it would not be able to use vlan 32 to spread to other clients on that network. even if most other clients will be verified and move to another vlan.
-The Base_ACL will aide in deterring this situation should ISE connectivity be lost from the NAD. Ensure in ISE authz policies you have unique conditions so that any rogue computer will hit default. Hitting default policy should apply a non-compliant dacl and possibly move the rogue host into a blackhole. Good luck & HTH!
0 Helpful
Customers Also Viewed These Support Documents