cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
0
Helpful
3
Replies

Deny access until host authenticates with ISE

ocs111992
Level 1
Level 1

Our switches with with ISE but before it authenticates it has access to any network. This is an issue because if someone wants to access our network it just need to unplug/plug LAN cable every 15 seconds.  Is there a way to deny all type access unitl the host authenticates with ISE? 

1 Accepted Solution

Accepted Solutions

For a better understanding of the #authentication open command see: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-open-auth.html

You could configure a base_acl like this:
Extended IP access list Base_ACL
10 deny ip any any
Then under your interface add this:
ip access-group Base_ACL in

Your ISE dacl will override the Base_ACL and allow access with the respective configs in the dacl.

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni
Can you share your interface configs? Are you working with manual interface configs OR are you running IBNS with service templates, etc.? You can accomplish what you are looking for via the use of dacls. Essentially you would have some sort of "base" ACL on your interfaces that then gets overridden by a dacl push from ISE upon successful authc and authz policy. In ISE you can configure dacls here: Policy->Policy Elements->Results->Authorization->Downloadable ACLs. You can then assign the dacl to your desired authz profile. Good luck & HTH!

This is the config of the interface: 

 

interface FastEthernet0/1
switchport access vlan 30
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

 

On DACL, guest users when they connect to LAN have access to internet only but before the computer authenticates with ISE they have access to internal networks and I want to prevent this.   

For a better understanding of the #authentication open command see: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-open-auth.html

You could configure a base_acl like this:
Extended IP access list Base_ACL
10 deny ip any any
Then under your interface add this:
ip access-group Base_ACL in

Your ISE dacl will override the Base_ACL and allow access with the respective configs in the dacl.