11-14-2012 03:26 AM - edited 03-10-2019 07:47 PM
I have Cisco Switch 3550 with IOS(12.1(19)EA1c ). i want to enable dACL feature on it, but it does not support adding this command -ip device tracking
Any idea why it is not accepting . does this ios version not support dACL feature ?
Solved! Go to Solution.
11-14-2012 03:43 AM
You need at least 12.2(44)SE for dACL-support on the 3550.
Edit: It's documented in the ISE compatibility-List:
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-14-2012 03:43 AM
You need at least 12.2(44)SE for dACL-support on the 3550.
Edit: It's documented in the ISE compatibility-List:
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-15-2012 11:01 PM
i found at this link http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpxref8152 it is mentioned that dACL feature is only supported on these features-
Cisco devices that support downloadable IP ACLs are:
•PIX Firewalls
•VPN 3000-series concentrators, ASA and PIX devices
•Cisco devices running IOS version 12.3(8)T or greater
so my question is does ios 12.2(44)SE support dACL ?????? i downloaded this ios and upgraded my switch3550, and it has IP DEVICE TRACKING commands feature. but dACL still does not work on it. plz give any idea
11-15-2012 11:58 PM
What's your switch-config?
And what do you see with "debug radius"?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-17-2012 01:35 AM
This is my Switch Config>
aaa new-model
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 key cisco
dot1x system-auth-control
aaa authorization network default group radius
ip device tracking
radius-server vsa send authentication
interface fastethernet0/2
switchport mode access
dot1x port-control auto
dot1x reauthentication
------
and i see the following when i do: debug radius >>>>>
03:10:17: RADIUS: Vendor, Cisco [26] 61
03:10:17: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-50a72bba"
03:10:17: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
03:10:17: RADIUS: EAP-Message [79] 6
03:10:17: RADIUS: 03 06 00 04 03:10:17: RADIUS: authenticator 70 28 8F A2 B7 3D C7 0F - A3 7A 74 05 69 A2 F9 98
03:10:17: RADIUS: Vendor, Cisco [26] 61
03:10:17: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-50a72bba"
03:10:17: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
03:10:17: RADIUS: EAP-Message [79] 6
----
While i go and see the loging/reports on acs, in passed-authentication log it shows the dACL at the authenticated-user. but on the switch i can not see anything and thus the dACL does not function, it does not block anything while i have blocked everything on that dACL on acs (i have added this entry - deny ip any any)
11-17-2012 01:50 AM
Add a dummy ACL with any content to your switchport-config. That ACL can then later be changed against the dACL:
ip access-list ext DEFAULT-ACL
permit ip any any
int fast 0/2
ip access-group DEFAULT-ACL in
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-17-2012 02:14 AM
That is still not working
11-17-2012 04:01 AM
I'll put back a 3550 into my lab and test that the next days ... Stay tuned.
Sent from Cisco Technical Support iPad App
11-17-2012 06:25 AM
Ok Thank You !
just want to review you my acs side config: on my acs server i have created dACL and assigned that into a group that is it. i have not touched the AUTHORIZATION section at the Network-Access-Profile , i have not added any rule into that authorization section. and that should not cause the issue i hope so
11-18-2012 06:08 AM
I added a 3550 (C3550-IPSERVICESK9-M, Version 12.2(44)SE6) to my Lab and tried the dACLs.
Sadly, they also didn't work for me as it does for the other switches (2960, 3560 and 3750). Only the old-style per-user ACLs worked where I've configured the following attributes directly:
01:32:17: RADIUS: Vendor, Cisco [26] 45
01:32:17: RADIUS: Cisco AVpair [1] 39 "ip:inacl#1=deny icmp any host 8.8.8.8"
01:32:17: RADIUS: Vendor, Cisco [26] 36
01:32:17: RADIUS: Cisco AVpair [1] 30 "ip:inacl#2=permit ip any any"
They were applied correctly to the port. But the "nomal" dACL-Config didn't work.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-18-2012 10:45 PM
Ok Thanks Karesten for your cooperation,
I will have to stuck with the old-style per-user-acl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide