DACL to switch

Krasnoperov · ‎01-29-2013

Hi I have dot1x authorization policy on my ISE server, whith result few statements in DACL

Device Authorize successfull, DACL is pushing to switch

Current configuration : 484 bytes

!

interface FastEthernet0/4

switchport access vlan 84

switchport mode access

switchport voice vlan 70

ip access-group default_acl in

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x max-reauth-req 3

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

end

sh access-lists

Extended IP access list Auth-Default-ACL

10 permit udp any range bootps 65347 any range bootpc 65348 (2 matches)

20 permit udp any any range bootps 65347 (15 matches)

30 deny ip any any (90 matches)

Extended IP access list default_acl

10 permit ip any any (602 matches)

Extended IP access list xACSACLx-IP-standart_vpn-5106859d (per-user)

10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

20 permit ip any host 10.1.1.20

30 permit udp any host 10.8.13.11 eq domain

40 permit udp any host 10.8.13.12 eq domain

50 deny ip any any

#sh authentication sessions interface f0/4

Interface: FastEthernet0/4

MAC Address: 0023.8b84.fa32

IP Address: 10.110.11.254

User-Name: krasnoperov_as

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-standart_vpn-5106859d

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A6E0A0400000079A121E4DE

Acct Session ID: 0x00000EE3

Handle: 0x2C000079

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

BUT it's not applayed to my session, default_acl on port is still applayed, from this PC I have any any access, like in default ACL defined.

Why it's happens?

thanks

nspasov · ‎01-29-2013

Hello-

I have the following questions:

1. Can you post the ACL syntax that was configured directly on ISE

2. What are you trying to accomplish with this ACE:

10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

3. Post the output of the following command:

show ip access-list interface fa0/4

4. Enable debug level logging on the switch and post the output after the authentication happen. More specifically we are looking for an error related to applying the ACL to the interface

Thank you for rating!

Krasnoperov · ‎01-30-2013

Hi, ACL which I wat to applay from ISE server is this:

permit ip any host 10.1.1.20

permit udp any host 10.8.13.11 eq 53

permit udp any host 10.8.13.12 eq 53

deny ip any any

this line was

10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

for ASA acl, it's incorrect, I delete it.

ARHIV-ROOM36#sh ip access-lists

Standard IP access list 21

10 permit 10.8.39.33 (7648 matches)

20 permit 10.5.45.95 (4298 matches)

30 permit 10.5.45.164

40 permit 10.1.1.206

50 permit 10.1.1.248

60 deny any (4 matches)

Standard IP access list 23

10 permit 10.0.0.0, wildcard bits 0.255.255.255 (34 matches)

Extended IP access list 101

10 permit ip any any

Extended IP access list 117

10 permit ip any any

Extended IP access list Auth-Default-ACL

10 permit udp any range bootps 65347 any range bootpc 65348 (15 matches)

20 permit udp any any range bootps 65347 (6 matches)

30 deny ip any any (10 matches)

Extended IP access list default_acl

10 permit ip any any (98 matches)

Extended IP access list xACSACLx-IP-standart_vpn-5107cb73 (per-user)

10 permit ip any host 10.1.1.20

20 permit udp any host 10.8.13.11 eq domain

30 permit udp any host 10.8.13.12 eq domain

40 deny ip any any

ARHIV-ROOM36#sh authentication sessions interface f0/4

Interface: FastEthernet0/4

MAC Address: 0023.8b84.fa32

IP Address: 10.110.11.254

User-Name: krasnoperov_as

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

ACS ACL: xACSACLx-IP-standart_vpn-5107cb73

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A6E0A040000003E015EC308

Acct Session ID: 0x0000004E

Handle: 0x6700003F

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

ARHIV-ROOM36#sh ip access-lists interface fastEthernet 0/4

ARHIV-ROOM36#

What kind of debug I should enable, because if I debug all - my switch is going down

nspasov · ‎01-30-2013

OK, after you authenticate, running the command: "sh ip access-lists interface fastEthernet 0/4" should display the ACL entries that are applied to the interface. You are not seeing that so something is preventing the ACL from being applied to the port. Check the logs on the switch right after the authentication happens and look for any errors related to the port/ACL

You can enable logging by:

logging trap debugging

logging buffered 32000

Krasnoperov · ‎01-31-2013

ip device tracking

this command solve my problem, but I dont understand how))

nspasov · ‎02-10-2013

Sorry somehow I missed this e-mail/thread. I find it interesting that this command solved your issue. As far as I know IP device tracking is used for web auth and profling.

Again though, thank you for shaing the information! (+5 from me). If the issue is solved then the thread should be closed as well.