11-10-2023 05:43 AM
Hello,
I'm struggling to configure a switchport to use a dACL configured on Cisco ISE.
Environment:
Switch Config
Just with VLAN assignment and current configuration everything seems to work fine. The port starts in VLAN2, authentication and authorization occur, the port is moved to VLAN10, it gets an IP via DHCP from VLAN10 and it has full connectivity.
Switch(config)#do show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 10
---------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
---------------------------------------------------------------------------------------
10.100.10.4 0050.0000.0f00 10 GigabitEthernet0/3 30 ACTIVE ARP
If I configure the authorization profile to also push a default dACL (for example PERMIT_ALL_IPV4_TRAFFIC) the switch receives from the ISE RADIUS Access-Accept and it downloads the dACL but it sends back to the user EAP - Failure. The supplicant tries again, same result and it gives up at some point. There is no entry in show ip device tracking all.
If I configure to push a custom dACL the AAA process is successful, the supplicant receives the EAP - Success message, it gets an IP address from VLAN10, but it is put in VLAN2 according to the show ip device tracking and there is no connectivity.
Switch(config-if)#do show ip device tracking all
-------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-------------------------------------------------------------
10.100.10.4 0050.0000.0f00 2 GigabitEthernet0/3 30 ACTIVE ARP
If i configure just the dACL authorization (doesn't matter what kind of dACL is used), the ISE server sends RADIUS Access-Accept for network access and dACL download but the switch sends EAP-Failure to the supplicant.
What could be the problem? I'm not sure if this behavior is caused by my configuration and there is something wrong with it or is caused by the the fact that the switch is virtual, inside EVE-NG, inside VMWare.
Thanks in advanced,
Radu
Solved! Go to Solution.
11-12-2023 02:35 PM
Sounds like a groovy lab setup you have there. As much as I love the idea of vios_l2, I always find something about it that seems unreliable and incomplete. I wish Cisco did more updates on it. I suspect it's a race condition.
Have you tried to NOT switch the VLAN, and then see if the dACL is applied correctly?
BTW, you can see the programming of the ACLs on the interface (how the combination of port ACL and dACL looks)
show platform software fed switch 1 acl interface | begin <MAC-address>
Might not work on vios perhaps.
11-12-2023 02:35 PM
Sounds like a groovy lab setup you have there. As much as I love the idea of vios_l2, I always find something about it that seems unreliable and incomplete. I wish Cisco did more updates on it. I suspect it's a race condition.
Have you tried to NOT switch the VLAN, and then see if the dACL is applied correctly?
BTW, you can see the programming of the ACLs on the interface (how the combination of port ACL and dACL looks)
show platform software fed switch 1 acl interface | begin <MAC-address>
Might not work on vios perhaps.
11-13-2023 12:27 AM
Hi Arne
Thanks for your input. I have tried not to switch the VLAN and just apply a dACL. Unfortunately, it doesn't work either. The ISE servers sends Access Accept, the switch sends a request for the dACL and it is also downloaded (according to ISE Live Logs and packet captures) but the switch sends back to the supplicant EAP-Failure.
11-13-2023 01:49 AM
Do you have CoA configured on the switch?
11-13-2023 03:02 AM
Hi Aref,
No, I didn't at the moment. By configuring CoA on the switch I managed to see some differences but overall it is not working.
Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005A195797DE
Acct Session ID: 0x00000034
Handle: 0x4800003C
Current Policy: POLICY_Gi0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Method status list:
Method State
dot1x Authc Success
Just with a VLAN change configured, everything seems to work fine.
Switch(config-if)#do show authentication session int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 0050.0000.0f00
IPv6 Address: Unknown
IPv4 Address: 10.100.10.5
User-Name: ise.user1
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000020000005819538DF2
Acct Session ID: 0x00000033
Handle: 0x0D00003A
Current Policy: POLICY_Gi0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
dot1x Authc Success
11-13-2023 03:27 AM
I can't see the dACL reference on the output you shared. Did you enable CoA on the swtich properties in ISE?
11-13-2023 05:11 AM
How do i enable CoA for the switch in ISE?
I have configured the following on the switch in CLI and in ISE i have the device profile configured as Cisco and under RADIUS Authentication Settings is the CoA port configured for 1700
aaa server radius dynamic-author
client 192.168.183.51 server-key radiuskey
11-13-2023 06:01 AM
It is part of the RADIUS settings in Network Devices in ISE, if you see CoA port 1700 next to the CoA port then that should be enough.
11-13-2023 02:57 PM
The sticking point seems to be the dACL. So let's return to our trusted reference guide, and I would suggest adding the following in this order:
1. Try adding this global command from the Deployment Guide (point 25.) - it wasn't 100% clear to me from the description what it does, but it might help
access-session acl default passthrough
2. If that alone doesn't fix it, then try the Low Impact Mode by defining a pre-auth ACL and assigning it to your interface.
ip access-list extended IPV4_PRE_AUTH_ACL
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
deny ip any any
!
interface gigabitEthernet 0/3
ip access-group IPV4_PRE_AUTH_ACL in
Test the auth and monitor the cumulative effect with the show command
show ip access-list interface gig0/3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide