Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
1
Helpful
8
Replies

Cisco ISE dACL won't apply to the port

Go to solution
radumihai
Level 1
Level 1

‎11-10-2023 05:43 AM

Hello, 

I'm struggling to configure a switchport to use a dACL configured on Cisco ISE. 

 

Environment:

  • Cisco ISE 3.1.0.518  (VM in VMWare)
  • vios_l2-ADVENTERPRISEK9-M), Version 15.2(4 .0.55)E  (inside EVE-NG)
  • Ubuntu Desktop (inside EVE-NG)

 

Switch Config

aaa new-model
dot1x system-auth-control
radius server ISER1
  address ipv4 192.168.183.51 auth-port 1812 acct-port 1813
  key radiuskey
aaa group server radius ISEG1
  server name ISER1
  ip radius source-interface Vlan1
aaa authentication dot1x default group ISEG1
aaa authorization network default group ISEG1
aaa accounting dot1x default start-stop group ISEG1
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
ip device tracking
ip device tracking probe delay 10
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping vlan 2
no ip dhcp snooping information option
interface GigabitEthernet0/3   // Connected to PC
  switchport mode access
  switchport access vlan 2
  spanning-tree portfast
  dot1x pae authenticator  
  authentication port-control auto 
interface GigabitEthernet0/0  // Uplink
  switchport trunk encapsulation dot1q
  switchport mode trunk
  ip dhcp snooping trust
 
Cisco ISE Configuration
  • the switch is configured in Network Devices
  • local users configured in Identities/ Network Access Users
  • rules configured for 802.1X authentication and authorization
  • authorization profile configured for VLAN assignment and/or dACL

Just with VLAN assignment and current configuration everything seems to work fine. The port starts in VLAN2, authentication and authorization occur, the port is moved to VLAN10, it gets an IP via DHCP from VLAN10 and it has full connectivity.

radumihai_0-1699621471068.png

Switch(config)#do show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 10
---------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
---------------------------------------------------------------------------------------
10.100.10.4 0050.0000.0f00 10 GigabitEthernet0/3 30 ACTIVE ARP

If I configure the authorization profile to also push a default dACL (for example PERMIT_ALL_IPV4_TRAFFIC) the switch receives from the ISE RADIUS Access-Accept and it downloads the dACL but it sends back to the user EAP - Failure. The supplicant tries again, same result and it gives up at some point. There is no entry in show ip device tracking all.

radumihai_1-1699621877156.png

radumihai_2-1699622110508.png

If I configure to push a custom dACL the AAA process is successful, the supplicant receives the EAP - Success message, it gets an IP address from VLAN10, but it is put in VLAN2 according to the show ip device tracking and there is no connectivity.

radumihai_3-1699622389802.png

radumihai_4-1699622435583.png

Switch(config-if)#do show ip device tracking all
-------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-------------------------------------------------------------
10.100.10.4 0050.0000.0f00 2 GigabitEthernet0/3 30 ACTIVE ARP

If i configure just the dACL authorization (doesn't matter what kind of dACL is used), the ISE server sends RADIUS Access-Accept for network access and dACL download but the switch sends EAP-Failure to the supplicant.

What could be the problem? I'm not sure if this behavior is caused by my configuration and there is something wrong with it or is caused by the the fact that the switch is virtual, inside EVE-NG, inside VMWare.

 

Thanks in advanced,

Radu

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-12-2023 02:35 PM

Sounds like a groovy lab setup you have there. As much as I love the idea of vios_l2, I always find something about it that seems unreliable and incomplete. I wish Cisco did more updates on it. I suspect it's a race condition. 

Have you tried to NOT switch the VLAN, and then see if the dACL is applied correctly?

BTW, you can see the programming of the ACLs on the interface (how the combination of port ACL and dACL looks)

show platform software fed switch 1 acl interface | begin <MAC-address>

Might not work on vios perhaps. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎11-12-2023 02:35 PM

Sounds like a groovy lab setup you have there. As much as I love the idea of vios_l2, I always find something about it that seems unreliable and incomplete. I wish Cisco did more updates on it. I suspect it's a race condition. 

Have you tried to NOT switch the VLAN, and then see if the dACL is applied correctly?

BTW, you can see the programming of the ACLs on the interface (how the combination of port ACL and dACL looks)

show platform software fed switch 1 acl interface | begin <MAC-address>

Might not work on vios perhaps. 

0 Helpful

Go to solution
radumihai
Level 1
Level 1
In response to Arne Bier

‎11-13-2023 12:27 AM

Hi Arne

Thanks for your input. I have tried not to switch the VLAN and just apply a dACL. Unfortunately, it doesn't work either. The ISE servers sends Access Accept, the switch sends a request for the dACL and it is also downloaded (according to ISE Live Logs and packet captures) but the switch sends back to the supplicant EAP-Failure.

 

 

Go to solution
Aref Alsouqi
VIP
VIP

‎11-13-2023 01:49 AM

Do you have CoA configured on the switch?

0 Helpful

Go to solution
radumihai
Level 1
Level 1
In response to Aref Alsouqi

‎11-13-2023 03:02 AM

Hi Aref,

 

No, I didn't at the moment. By configuring CoA on the switch I managed to see some differences but overall it is not working.

  • Using CoA and a default dACL (permit ip any any) the supplicant obtains from the switch EAP-Success, it manages to get an IP from the DHCP server (acording to the VLAN assigned using the authorization profile) but any other traffic is not allowed through the port. 

Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005A195797DE
Acct Session ID: 0x00000034
Handle: 0x4800003C
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Method status list:
Method State
dot1x Authc Success

  • Using CoA and a custom dACL the switchport sends EAP Failure even if the ISE server sent an accept.

 

Just with a VLAN change configured, everything seems to work fine.

Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005819538DF2
Acct Session ID: 0x00000033
Handle: 0x0D00003A
Current Policy: POLICY_Gi0/3

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:

Method status list:

Method State
dot1x Authc Success

 

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to radumihai

‎11-13-2023 03:27 AM

I can't see the dACL reference on the output you shared. Did you enable CoA on the swtich properties in ISE?

0 Helpful

Go to solution
radumihai
Level 1
Level 1
In response to Aref Alsouqi

‎11-13-2023 05:11 AM

How do i enable CoA for the switch in ISE? 

 

I have configured the following on the switch in CLI and in ISE i have the device profile configured as Cisco and under RADIUS Authentication Settings is the CoA port configured for 1700

aaa server radius dynamic-author
  client 192.168.183.51 server-key radiuskey 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to radumihai

‎11-13-2023 06:01 AM

It is part of the RADIUS settings in Network Devices in ISE, if you see CoA port 1700 next to the CoA port then that should be enough.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-13-2023 02:57 PM

The sticking point seems to be the dACL. So let's return to our trusted reference guide, and I would suggest adding the following in this order:

1. Try adding this global command from the Deployment Guide (point 25.) - it wasn't 100% clear to me from the description what it does, but it might help

access-session acl default passthrough

 

2. If that alone doesn't fix it, then try the Low Impact Mode by defining a pre-auth ACL and assigning it to your interface. 

ip access-list extended IPV4_PRE_AUTH_ACL
  permit udp any eq bootpc any eq bootps
  permit udp any any eq domain
  deny ip any any
!
interface gigabitEthernet 0/3
ip access-group IPV4_PRE_AUTH_ACL in

Test the auth and monitor the cumulative effect with the show command

show ip access-list interface gig0/3

 

0 Helpful
Customers Also Viewed These Support Documents