01-29-2013 12:30 AM - edited 03-10-2019 08:01 PM
Hi I have dot1x authorization policy on my ISE server, whith result few statements in DACL
Device Authorize successfull, DACL is pushing to switch
Current configuration : 484 bytes
!
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
end
sh access-lists
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (2 matches)
20 permit udp any any range bootps 65347 (15 matches)
30 deny ip any any (90 matches)
Extended IP access list default_acl
10 permit ip any any (602 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5106859d (per-user)
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
20 permit ip any host 10.1.1.20
30 permit udp any host 10.8.13.11 eq domain
40 permit udp any host 10.8.13.12 eq domain
50 deny ip any any
#sh authentication sessions interface f0/4
Interface: FastEthernet0/4
MAC Address: 0023.8b84.fa32
IP Address: 10.110.11.254
User-Name: krasnoperov_as
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-standart_vpn-5106859d
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6E0A0400000079A121E4DE
Acct Session ID: 0x00000EE3
Handle: 0x2C000079
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
BUT it's not applayed to my session, default_acl on port is still applayed, from this PC I have any any access, like in default ACL defined.
Why it's happens?
thanks
01-29-2013 09:38 PM
Hello-
I have the following questions:
1. Can you post the ACL syntax that was configured directly on ISE
2. What are you trying to accomplish with this ACE:
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
3. Post the output of the following command:
show ip access-list interface fa0/4
4. Enable debug level logging on the switch and post the output after the authentication happen. More specifically we are looking for an error related to applying the ACL to the interface
Thank you for rating!
01-30-2013 02:07 AM
Hi, ACL which I wat to applay from ISE server is this:
permit ip any host 10.1.1.20
permit udp any host 10.8.13.11 eq 53
permit udp any host 10.8.13.12 eq 53
deny ip any any
this line was
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
for ASA acl, it's incorrect, I delete it.
ARHIV-ROOM36#sh ip access-lists
Standard IP access list 21
10 permit 10.8.39.33 (7648 matches)
20 permit 10.5.45.95 (4298 matches)
30 permit 10.5.45.164
40 permit 10.1.1.206
50 permit 10.1.1.248
60 deny any (4 matches)
Standard IP access list 23
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (34 matches)
Extended IP access list 101
10 permit ip any any
Extended IP access list 117
10 permit ip any any
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (15 matches)
20 permit udp any any range bootps 65347 (6 matches)
30 deny ip any any (10 matches)
Extended IP access list default_acl
10 permit ip any any (98 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5107cb73 (per-user)
10 permit ip any host 10.1.1.20
20 permit udp any host 10.8.13.11 eq domain
30 permit udp any host 10.8.13.12 eq domain
40 deny ip any any
ARHIV-ROOM36#sh authentication sessions interface f0/4
Interface: FastEthernet0/4
MAC Address: 0023.8b84.fa32
IP Address: 10.110.11.254
User-Name: krasnoperov_as
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-standart_vpn-5107cb73
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6E0A040000003E015EC308
Acct Session ID: 0x0000004E
Handle: 0x6700003F
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
ARHIV-ROOM36#sh ip access-lists interface fastEthernet 0/4
ARHIV-ROOM36#
What kind of debug I should enable, because if I debug all - my switch is going down
01-30-2013 08:37 PM
OK, after you authenticate, running the command: "sh ip access-lists interface fastEthernet 0/4" should display the ACL entries that are applied to the interface. You are not seeing that so something is preventing the ACL from being applied to the port. Check the logs on the switch right after the authentication happens and look for any errors related to the port/ACL
You can enable logging by:
logging trap debugging
logging buffered 32000
01-31-2013 05:41 AM
ip device tracking
this command solve my problem, but I dont understand how))
02-10-2013 08:07 PM
Sorry somehow I missed this e-mail/thread. I find it interesting that this command solved your issue. As far as I know IP device tracking is used for web auth and profling.
Again though, thank you for shaing the information! (+5 from me). If the issue is solved then the thread should be closed as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide