Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
25
Helpful
5
Replies

CWA on ISE and switches

urosbajzelj
Level 1
Level 1

‎08-20-2013 06:56 AM - last edited on ‎03-25-2019 05:30 PM by Community Manager

I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic. 

interface GigabitEthernet1/0/12
description ISE1 - dot1x clients - UCS Eth0
switchport access vlan 100
switchport mode access
ip access-group webauth in
authentication order mab
authentication priority mab
authentication port-control auto
mab
spanning-tree portfast
end

ip access-list extended webauth
permit ip any any
Labels:
0 Helpful
5 Replies 5

Octavian Szolga
Level 4
Level 4

‎08-20-2013 10:27 PM

Hi,

If I remember well, older IOS versions do not apply a dACL on port if there is none already configured (locally).

urosbajzelj
Level 1
Level 1
In response to Octavian Szolga

‎08-20-2013 10:41 PM

Thank you for the answer.

It must be this because I tested this solution with and without access-list on the port and the result was always the same.

BR

Muhammad Munir
Level 5
Level 5

‎08-22-2013 12:21 AM

Hi Uros

ACL is used to determine which traffic should be bridged by default from unauthenticated

endpoints onto the access VLAN. Since you should allow all access first and enforce policy later, you

should apply ACL-ALLOW to permit all traffic through the switch port. You have already created a

default ISE authorization to allow all traffic for now since we want complete visibility and not impact

the existing end user experience yet.

! An ACL must be configured to prepend dACLs from AAA server.

ip access-group ACL-ALLOW in

Note:

"Prior to software versions 12.2(55)SE on DSBU switches, a port ACL is required for dynamic ACLs

from a RADIUS AAA server to be applied. Failure to have a default ACL will result in assigned dACLs

being ignored by the switch. With 12.2(55)SE a default ACL will be automatically generated and

applied".

aqjaved
Level 3
Level 3
In response to Muhammad Munir

‎08-22-2013 03:52 AM

Why ACL must be configured on the port on the switch

Question:

I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.

What is Web Authentication?

Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.

Role of ACL:

The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:

•Standard IP access lists using source addresses

•Extended IP access lists using source and destination addresses and optional protocol type information

•MAC extended access lists using source and destination MAC addresses and optional protocol type information

The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.  Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.

Figure 31-1 Using ACLs to Control Traffic to a Network

When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

For More information, please check

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468

Ravi Singh
Level 7
Level 7

‎08-26-2013 09:15 PM

Rated Munir and Aqeel answer. You must go through.

0 Helpful
Customers Also Viewed These Support Documents