Solved: Cisco ISE ACL and URL Redirect not showing in 'show auth sessions int f0/4'

laurathaqi · ‎06-10-2021

Dear community,

I have done the configurations of AnyConnect Posture in the ISE and Switch. a DACL should first be applied to the port, and then the Redirect ACL in the Switch.

Live Logs show that the DACL is being pushed, but the 'show auth sess int f0/4' does not show the DACL pushed in its switch console.

Have a feeling that DACL and Redirect URL are not being sent to the Switch even thought live log says they are being sent to the Switch port. However not sure how to figure that out, in regards finding the attributes that are being sent to the Switch NIC port.

The other Odd thing is that, the flow of dacl->acl->redirect URL which should have happened, stops to the DACL step and does not proceed to the other two steps. This assumption is observed from Live Logs of ISE. The AnyConnect posture is stuck in Pending state due to this.

Any thoughts how to find attributes being sent to switch, and/or troubleshoot the process.

One of my issues in the switch is that even thought all logs are enabled in regards AAA and Radius, I cant get any log generated in the Switch Console, thus leaving me blind from the Switch Perspective.

Tried also the 'show epm stat int f0/4' but no data shown.

Any thoughts or suggestions would be highly appreciated.

Thank you,

Laura

hslai · ‎06-11-2021

Please refer to ISE Secure Wired Access Prescriptive Deployment Guide

It's possible the particular switch not supporting it.

.

View solution in original post

Peter Koltl · ‎06-10-2021

Do you have the proper

aaa authorization network ...

command in the switch?

laurathaqi · ‎06-10-2021

Hi,

Thank you for your feedback!

Please find configs in regards the aaa as following:

aaa authentication dot1x default group radius
aaa authorization console

aaa authorization network default group radius
aaa authorization network auth-list group radius

aaa accounting update periodic 5

aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

Were the radius is the server of ISE PSN that I have defined.

Looking forward to hearing from you.

Thank you,

Laura

hslai · ‎06-11-2021

Please refer to ISE Secure Wired Access Prescriptive Deployment Guide

It's possible the particular switch not supporting it.

.

laurathaqi · ‎06-13-2021

Hi @hslai

That might be, Switch is version 12.2, Catalyst 2960. Will do a test in another switch and keep you updated.

Thank you for your support.

Best wishes,

Laura

Peter Koltl · ‎06-23-2021

You should not test with IOS 12.2 , upgrade.

Greg Gibbs · ‎06-23-2021

Your post is not specific on the model of 2960 switch, so you should also confirm that you have a LAN Base model and not LAN Lite. The LAN Lite model does not support features like CoA or DACLs, so it is not validated/supported with ISE. The LAN Lite model is different hardware, so it cannot be upgraded to LAN Base for ISE support.

See this datasheet for the model numbers associated with LAN Lite.