cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

287
Views
20
Helpful
6
Replies
Highlighted
Contributor

Internet Only dACL for Wired Devices

Hello All,

ISE: v2.3

We started running into a new issue where we have some wired devices in the building that do not require internal access, only internet. Like a few smart TVs, video conferencing equipment, etc... So I did the following, but the dACL doesn't appear to be working as expected, even though the switch is showing me the test device received the dACL.

1. I created a new Identity Group in ISE called Internet_Only_Group, that I would manually add these devices to.

2. I created this dACL below called Internet_Only_ACL. The one full IP listed below is one of the ISE servers:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 192.168.2.49
deny ip any 192.168.0.0 255.255.0.0
deny ip any 10.0.0.0 255.0.0.0
permit ip any any

3. I created an Authorization Profile called Internet_Only and applied the dACL above to this profile.

4. Then under Policy Sets > Wired, I created a new Policy for devices found in the Internet_Only_Group.

5. Lastly, I assigned a test laptop to the Identity Group --> Internet_Only_Group.

 

On the switch I can see the device authenticates with MAB and gets assigned the Internet_Only_ACL:

#show auth sess sess C0A80201000B2AE03A89A584 det
Session id=C0A80201000B2AE03A89A584
            Interface:  GigabitEthernet7/24
          MAC Address:  0050.b6eb.xxxx
         IPv6 Address:  Unknown
         IPv4 Address:  10.60.110.203
            User-Name:  00-50-B6-EB-XX-XX
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  C0A80201000B2AE03A89A584
      Acct Session ID:  0x0008DF7D
               Handle:  0x3C000AE2
       Current Policy:  POLICY_Gi7/24

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:
              ACS ACL:  xACSACLx-IP-Internet_Only_ACL-5e444df0

Method status list:
       Method           State
       dot1x            Stopped
       mab              Authc Success

So it appears to be authenticating properly and also receiving the correct auth profile containing the dACL. However, I am unable to reach anything on the Internet. I cannot reach anything internal, except I can ping the ISE server listed in the dACL. So at least that Permit statement appears to be working... I can also run DNS queries to our internal DNS server without issue.

Am I missing something with this dACL?

 

Thanks in Advance,

Matt

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Internet Only dACL for Wired Devices

Its wild cards not subnet masks there btw which are used in ACLs which could potentially block everything to the internet as per your configuration.

View solution in original post

6 REPLIES 6
Highlighted
Rising star

Re: Internet Only dACL for Wired Devices

First off, the dACL appears to be fine and the session appears to be authenticated/authorized properly.

What type of switch is it?  Can you also do a "show ip access-list int g7/24"?  With older switches like the 6500/4500, I have seen issues where the dACL doesn't get applied properly in hardware/TCAM or in the right order.  The ACL optimizer attempts to optimize the order and sometimes will mess it up.  And it isn't on every port.  It is hit and miss.  If it is a newer switch, then that shouldn't be the issue.

Other issues could be outside of the switch such as a proxy server that is required to browse outside of the network.  Is DNS resolving the external URL you are trying to get to?  Internal firewall blocking the traffic?

Highlighted
Contributor

Re: Internet Only dACL for Wired Devices

Thanks for the "show ip access-list int gi7/24" command. Was able to use this to verify the correct ACL was being applied to this host. Much appreciated.

-Matt

Highlighted
Cisco Employee

Re: Internet Only dACL for Wired Devices

Its wild cards not subnet masks there btw which are used in ACLs which could potentially block everything to the internet as per your configuration.

View solution in original post

Highlighted
Contributor

Re: Internet Only dACL for Wired Devices

Ah ha. Thank you. Switching the 2 lines in the ACL to the following, and it appears to be working now!

deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255

One last question. Would there be any reason to include any type of permit statement to ISE in the dACL?

-Matt
Highlighted
Cisco Employee

Re: Internet Only dACL for Wired Devices

It is needed when you have features which require redirection to the ISE example : Guest/BYOD/Posture etc. If none, then you can omit them.
Highlighted
Contributor

Re: Internet Only dACL for Wired Devices

Ok, thanks for the info. Much appreciated!