cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2626
Views
15
Helpful
5
Replies
Highlighted
Beginner

DACL to switch

Hi I have dot1x authorization policy on my ISE server, whith result few statements in DACL

Device Authorize successfull, DACL is pushing to switch

Current configuration : 484 bytes

!

interface FastEthernet0/4

switchport access vlan 84

switchport mode access

switchport voice vlan 70

ip access-group default_acl in

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x max-reauth-req 3

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

end

sh access-lists

Extended IP access list Auth-Default-ACL

    10 permit udp any range bootps 65347 any range bootpc 65348 (2 matches)

    20 permit udp any any range bootps 65347 (15 matches)

    30 deny ip any any (90 matches)

Extended IP access list default_acl

    10 permit ip any any (602 matches)

Extended IP access list xACSACLx-IP-standart_vpn-5106859d (per-user)

    10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

    20 permit ip any host 10.1.1.20

    30 permit udp any host 10.8.13.11 eq domain

    40 permit udp any host 10.8.13.12 eq domain

    50 deny ip any any

#sh authentication sessions interface f0/4

            Interface:  FastEthernet0/4

          MAC Address:  0023.8b84.fa32

           IP Address:  10.110.11.254

            User-Name:  krasnoperov_as

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-standart_vpn-5106859d

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A6E0A0400000079A121E4DE

      Acct Session ID:  0x00000EE3

               Handle:  0x2C000079

Runnable methods list:

       Method   State

       dot1x    Authc Success

       mab      Not run

BUT it's not applayed to my session, default_acl on port is still applayed, from this PC I have any any access, like in default ACL defined.

Why it's happens?

thanks

5 REPLIES 5
Highlighted
Cisco Employee

Hello-

I have the following questions:

1. Can you post the ACL syntax that was configured directly on ISE

2. What are you trying to accomplish with this ACE:

10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

3. Post the output of the following command:

show ip access-list interface fa0/4

4. Enable debug level logging on the switch and post the output after the authentication happen. More specifically we are looking for an error related to applying the ACL to the interface

Thank you for rating!

Highlighted

Hi, ACL which I wat to applay from ISE server is this:

permit ip any host 10.1.1.20

permit udp any host 10.8.13.11 eq 53

permit udp any host 10.8.13.12 eq 53

deny ip any any

this line was

10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389

for ASA acl, it's incorrect, I delete it.

ARHIV-ROOM36#sh ip access-lists

Standard IP access list 21

    10 permit 10.8.39.33 (7648 matches)

    20 permit 10.5.45.95 (4298 matches)

    30 permit 10.5.45.164

    40 permit 10.1.1.206

    50 permit 10.1.1.248

    60 deny   any (4 matches)

Standard IP access list 23

    10 permit 10.0.0.0, wildcard bits 0.255.255.255 (34 matches)

Extended IP access list 101

    10 permit ip any any

Extended IP access list 117

    10 permit ip any any

Extended IP access list Auth-Default-ACL

    10 permit udp any range bootps 65347 any range bootpc 65348 (15 matches)

    20 permit udp any any range bootps 65347 (6 matches)

    30 deny ip any any (10 matches)

Extended IP access list default_acl

    10 permit ip any any (98 matches)

Extended IP access list xACSACLx-IP-standart_vpn-5107cb73 (per-user)

    10 permit ip any host 10.1.1.20

    20 permit udp any host 10.8.13.11 eq domain

    30 permit udp any host 10.8.13.12 eq domain

    40 deny ip any any

ARHIV-ROOM36#sh authentication sessions interface f0/4

            Interface:  FastEthernet0/4

          MAC Address:  0023.8b84.fa32

           IP Address:  10.110.11.254

            User-Name:  krasnoperov_as

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

              ACS ACL:  xACSACLx-IP-standart_vpn-5107cb73

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A6E0A040000003E015EC308

      Acct Session ID:  0x0000004E

               Handle:  0x6700003F

Runnable methods list:

       Method   State

       dot1x    Authc Success

       mab      Not run

ARHIV-ROOM36#sh ip access-lists interface fastEthernet 0/4

ARHIV-ROOM36#

What kind of debug I should enable, because if I debug all - my switch is going down

Highlighted

OK, after you authenticate, running the command: "sh ip access-lists interface fastEthernet 0/4" should display the ACL entries that are applied to the interface. You are not seeing that so something is preventing the ACL from being applied to the port. Check the logs on the switch right after the authentication happens and look for any errors related to the port/ACL

You can enable logging by:

logging trap debugging

logging buffered 32000
Highlighted

ip device tracking

this command solve my problem, but I dont understand how))

Highlighted

Sorry somehow I missed this e-mail/thread. I find it interesting that this command solved your issue. As far as I know IP device tracking is used for web auth and profling.

Again though, thank you for shaing the information! (+5 from me). If the issue is solved then the thread should be closed as well.

Content for Community-Ad