This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello,
I would like to know if you can help me before I open a TAC case. My problem is quite simple, my scenario:
Laptop (no supplicant) --- SW (WS-C3560-CG) --- SW (Internal resources) --- ISE
From the laptop I'm trying to
aaa group server tacacs+ ISE_GROUP
server name ISE
!
aaa group server radius ISE
server name ISE2_Server
server name ISE1_Server
load-balance method least-outstanding batch-size 1
!
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization network default group ISE
aaa authorization network
aaa accounting update periodic 15
aaa accounting identity default start-stop group ISE
!
aaa server radius dynamic-author
client 10.254.17.110 server-key 7 15315A1F07257A767B72
client 10.254.4.86 server-key 7 0822455D0A16
client 10.254.4.89 server-key 7 0822455D0A16
server-key 7 104D000A0618
!
aaa session-id common
clock timezone ET -5 0
clock summer-time ET recurring 1 Sun May 2:00 last Sun Nov 2:00
system
!
device-sensor filter-list
!
device-sensor filter-list
option name
option name domain-name
option number 34
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list
device-sensor filter-spec
device-sensor filter-spec
device-sensor filter-spec
device-sensor notify
!
!
!
memory reserve critical 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
dot1x system-auth-control
service-template
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
service-template CRITICAL
description < Apply when none of the RADIUS servers are reachable >
access-group PERMIT-ANY
spanning-tree mode
spanning-tree extend system-id
!
!
!
!
!
!
!
class-map type control subscriber match-all AAA_SVR_DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB
match method
!
class-map type control subscriber match-all MAB_FAILED
match method
match result-type method
!
!
!
policy-map type control subscriber POLICY_Gi_Global
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!
!
!
interface GigabitEthernet0/5
description < Wired Guest Test >
subscriber aging inactivity-timer 60 probe
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
no
dot1x
dot1x timeout tx-period 10
spanning-tree
service-policy type control subscriber POLICY_Gi_Global
!
interface Vlan1
no
shutdown
!
interface Vlan100
!
!
!
deny
deny
deny
permit
permit
deny
permit
permit
permit
permit
permit
deny
permit
permit
!
!
address ipv4 10.254.4.86
key 7 104D000A0618
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 4
radius-server deadtime 5
!
radius server ISE1_Server
address ipv4 10.254.4.86 auth-port 1812 acct-port 1813
timeout 10
!
radius server ISE2_Server
address ipv4 10.254.4.89 auth-port 1812 acct-port 1813
timeout 10
!
When I connect the client then I can see the access-session going on but I can't see why the ACL is replaced:
WS-C3560CG#show access-session int g0/5
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/5 e411.5b30.8626
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
9 5 dot1x
19 10 mab
17 15
WS-C3560CG#show access-session int g0/5
Interface: GigabitEthernet0/5
MAC Address: e411.5b30.8626
IPv6 Address: Unknown
IPv4 Address: 10.254.36.204
User-Name: E4-11-5B-30-86-26
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session
Restart
Session Uptime: 370s
Common Session ID: 0AFE0B3300000019038D54FD
Handle: 0xEC00000A
Current Policy: POLICY_Gi_Global
Local Policies:
Idle timeout: 60 sec
arp-probe-timeout: yes
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
URL Redirect: https://USNJISE19.svlab.local:8443/portal/gateway?sessionId=0AFE0B3300000019038D54FD&portal=a60e04d0-2230-11e6-99ab-005056bf55e0&action=cwa&type=drw&token=769ce4152866adfa0ad85ecd6eddbf3e
URL Redirect ACL: ACL_REDIRECT
Method status list:
Method State
dot1x Stopped
mab Authc Success
WS-C3560CG#show
Extended IP access list LOW_IMPACT_ACL
10 permit
20 permit
30 permit
40 permit
50 permit
60 deny
WS-C3560CG#
I'm attaching some screenshots from the ISE server. I hope that someone could help me on this issue.
Thanks
In your port configuration, you have hardcoded the Low Impact ACL. In this scenario, you need to send a different ACL from ISE if you want it to be replaced. In the ISE Authorization profile add an ACL
Twitter: @berna_tllz