Default "Deny Access" authorization rule still allows network access

antonioyan99 · ‎03-18-2016

Hi Cisco ISE Guru,

I ran into this issue at the beginning of an ISE deployment.

When a computer try to authenticate and fails, it matches the default "Deny Access" authorization rule.

However, it still have network access.

I created an authorization profile called "Explicit_Deny_Access", set Access_Type as "Access_Reject", and DACL= DENY_ALL_Traffic.

computer still have network access, the DACL is not downloaded to switch.

When I set Access Type to "Access Accept", and keep the DACL as "Deny_All_Traffic", at this moment the computer lost access to network, and the DACL "Deny IP any any" can been seen on the switch by command" show ip access-lists".

Can someone help to figure this out?

Hardware SNS-3495-k9, ISE version : 2.0.0.306

Switch model: WS-C3850-24P IOS version: 03.03.05SE

Thanks.

nspasov · ‎03-19-2016

Hi there-

Have you confirmed that the switch is receiving the "Access_Reject" message? As far as I know, if you set the Authorization Profile to "Access_Reject" then no other attributes really matter as the client should be rejected access to the network.

I am wondering if you are hitting a bug of some sort. If possible I would recommend that you upgrade to a more recent release like the 3.6.4 and then try again. I know that the IOS-XE has been problematic with AAA and ISE with some of the older releases.

Thank you for rating helpful posts!

antonioyan99 · ‎03-22-2016

Hi there,

I have got the Cisco 3850 switch upgraded to 3.6.4, but still the same behavior.

I just turned on AAA debug and Radius debug, and got the output, the switch did get "access-reject" message, but the DACL is not downloaded to switch . The computer still have access to the network.

I have attached output as txt file.

nspasov · ‎03-23-2016

Yes, that is expected. If you are returning "Access-Reject" message, no other attributes will be passed. Here are details directly from an RFC:

https://tools.ietf.org/html/rfc2865

If any condition is not met, the RADIUS server sends an "Access-
   Reject" response indicating that this user request is invalid.  If
   desired, the server MAY include a text message in the Access-Reject
   which MAY be displayed by the client to the user.  No other
   Attributes (except Proxy-State) are permitted in an Access-Reject.

So not getting the dacl is an expected behavior. The access-reject message itself should be prohibiting access to the network. Can you please confirm if this is happening after the code upgrade?

Otherwise, your other options is to return "access-accept" but with a dacl "deny all"

Thank you for rating helpful posts!

antonioyan99 · ‎03-28-2016

What I am doing now is to put a pre-auth ACL to switch port to deny all the access except dhcp/dns. If an endpoint passes authentication and gets an authorization profile, a DACL will be applied to switch port and overwrite the pre-auth ACL. otherwise Deny-Access will no do anything and the pre-auth ACL still in place.

Per Tenggren · ‎03-28-2016

"no authentication open" on the switch port will also prevent any traffic except EAPoL until permission is accepted.

antonioyan99 · ‎03-23-2016

N/A

Per Tenggren · ‎03-28-2016

Another option is to have a default ACL on all ports (deny ip any any) and push a dACL with permit-statements together with access-accept.

antonioyan99 · ‎03-28-2016

yes, I figured out the same as you said. Thanks.

moises.rodriguez · ‎06-07-2018

Did you figure out what the problemas was? I'm having the same problem

ajc · ‎06-07-2018

Take a look on the following document and check also the next:

The AuthC action in ISE is to reject or drop but since the switchports have "authentication open" in monitor mode, the switch continues to allow access. The ISE live logs will show the failure (as they should in monitor mode) but endpoint access is not affected.

See https://communities.cisco.com/docs/DOC-68171 (page 14 step 5).