Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
0
Helpful
2
Replies

Dot1x dACL for server with additional networks behind it

Go to solution
igor.hamzic81
Level 1
Level 1

‎04-09-2019 05:50 AM - edited ‎02-21-2020 11:04 AM

Hello all. In one of our production facilities we have implemented dot1x on the switches in the facility. All was OK until we found out that there is a legacy network behind one of the servers which is still used for production purposes and acts as a router for the legacy network. Something like this:

 

production LAN - server - legacy network

 

In short there are several http servers in that legacy network that are part of a printing press and cannot be migrated from the legacy network(don't ask).

The server in front authenticates on the switch without a problem and gets it dACL from our ISE servers. The server works OK but when anyone tries to connect to the http servers behind this first server we have a problem due to the dACL.

The problem lies with the fact that for dACL the any part of the dACL gets replaced with the IP address of the authenticated server, which is normal for a dACL, but the servers in the legacy network are responding from a different IP range and are getting dropped by the dACL.

I tried several different combinations of the dACL to try and get this to work but ISE tells me every time that dACL line must start with any so I couldn't get this to work.

Does someone have any idea how I can solve this or am I stuck with one port without dot1x on it?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-09-2019 06:27 AM

This is not an issue of ISE but more of a switching question.

The switch has no visibility of the mac address of this server behind a server right? The switch in order to apply a dACL must see that device I believe. Seems like you have 1 server NAT or is it bridging? Check out this guide and the host modes multi-auth multi-host

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-09-2019 06:27 AM

This is not an issue of ISE but more of a switching question.

The switch has no visibility of the mac address of this server behind a server right? The switch in order to apply a dACL must see that device I believe. Seems like you have 1 server NAT or is it bridging? Check out this guide and the host modes multi-auth multi-host

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

0 Helpful

Go to solution
igor.hamzic81
Level 1
Level 1
In response to Jason Kunst

‎04-15-2019 12:58 AM

Hi. Just confirm that adding multi-host instead multi-auth on the port solved the problem. Thanks for the support.

0 Helpful
Customers Also Viewed These Support Documents