cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
6
Helpful
10
Replies

dACL only works after a clear access-session

User42
Level 1
Level 1
Hi
 
ISE: 3.2 Patch 4
Switch: C9300-48P mit IOS XE 17.09.04a
 
Without dACL:
Authorization Policy Result
Result: Access-Accept
Vlan: 12
 
Device gets plugged in:
ISE:
Correct Policy and correct result
Switch:
Client Authorized, vlan 12
Client:
ping a.a.a.a -> successfull
ping b.b.b.b -> successfull
 
With dACL:
Authorization Policy Result
Result: Access-Accept
Vlan: 12
dACL:
permit ip any host a.a.a.a
deny ip any any
 
Device Plugged in:
ISE:
Correct Policy, correct result and dACL Download successful
Switch:
Client Authorized, vlan 12, dACL download complete and mapped to interface
Client:
ping a.a.a.a -> not successfull
ping b.b.b.b -> not successfull
 
 
If I clear the access-session with clear access-session on the switch:
ISE:
Correct Policy, correct result and dACL Download successful
Switch:
Client Authorized, vlan 12, dACL download complete and mapped to interface
Client:
ping a.a.a.a -> successfull
ping b.b.b.b -> not successfull
 
 
If the client is unplugged and plugged in again, the ping tests are again unsuccessful.
The dACL only seems to work correctly after a clear access session.
 
I looked in Cisco's BST but didn't find anything.
Does anyone have an idea?
2 Accepted Solutions

Accepted Solutions

User42
Level 1
Level 1

Hi Together

Thanks for the many replies!
I found the problem (It's a stupid fault from my site)
The Clients couldn't get any ip address. In the ACL I allow connection to the dhcp.
But for dhcp the Client tries with a broadcast address.

I just hat to add: permit udp any any eq 67.

I didn't saw it first because this devices only has a web UI (which wasn't reachable)
Also there APIPPA Looks like the old address from the dhcp a.a.20.13 -> 169.254.20.13

I really appreciate your help and I am sorry for your loss of time.

View solution in original post

Hi,

    By enabling the logging i've recommended, you would have seen that dACL was not actually applied because hosts had no IP address that switch can make use of before applying the dACL.

    Good you fixed it.

Best,

Cristian.

View solution in original post

10 Replies 10

@User42 

 I believe this is an expect behavior and you need to use CoA to overcome this. Take a look on the below thread and there are lots of similar threads here in the forum.

https://community.cisco.com/t5/network-access-control/coa-session-reauth-required-after-successful-authentication/td-p/4158220

 

I think here it is another problem because I'm not speaking of Guest Access.
These Clients I described authenticate with dot1x EAP-TLS.

permit ip any host a.a.a.a <<- remove this 

Add 

Permit ip any any <<- 

And let device tracking adjust any 

MHM

Thanks for the reply!
With permit ip any any it works.
But then I cloud just use no dACL

The Goal is this:

ping a.a.a.a -> successfull
ping b.b.b.b -> not successfull
 
I want that the Client only can reach his server.

Hi,

     I would check for dACL related bugs on that ISE version. Second, do you have "epm logging" to validate that dACL is actually correctly applied on the port via "show logging"?

Best,

Cristian.

This issue' how ISE know that this is user a.a.a.a or user b.b.b.b to assign correct dacl?

Instead push in dacl permit ip any any 

And try use ACL in port connect to server or use vlan access list.

MHM

marce1000
VIP
VIP

 

 - Here are a number of related bugs with DACL  , which include your ISE version :
   https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&prdNam=Cisco%20Identity%20Services%20Engine%203.2&kw=dacl%203.2&bt=custV&sb=anfr

  Check if anything related comes up ; it's probably advisable to test with the latest patch for ISE 3.2 (p7)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

User42
Level 1
Level 1

Hi Together

Thanks for the many replies!
I found the problem (It's a stupid fault from my site)
The Clients couldn't get any ip address. In the ACL I allow connection to the dhcp.
But for dhcp the Client tries with a broadcast address.

I just hat to add: permit udp any any eq 67.

I didn't saw it first because this devices only has a web UI (which wasn't reachable)
Also there APIPPA Looks like the old address from the dhcp a.a.20.13 -> 169.254.20.13

I really appreciate your help and I am sorry for your loss of time.

Hi,

    By enabling the logging i've recommended, you would have seen that dACL was not actually applied because hosts had no IP address that switch can make use of before applying the dACL.

    Good you fixed it.

Best,

Cristian.

with respect to your solution 

how ISE know this endpoint is a.a.a.a or b.b.b.b 

this can only done via dhcp profiling

MHM