This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We started running into a new issue where we have some wired devices in the building that do not require internal access, only internet. Like a few smart TVs, video conferencing equipment, etc... So I did the following, but the dACL doesn't appear to be working as expected, even though the switch is showing me the test device received the dACL.
1. I created a new Identity Group in ISE called Internet_Only_Group, that I would manually add these devices to.
2. I created this dACL below called Internet_Only_ACL. The one full IP listed below is one of the ISE servers:
permit udp any eq bootpc any eq bootps permit udp any any eq domain permit ip any host 192.168.2.49 deny ip any 192.168.0.0 255.255.0.0 deny ip any 10.0.0.0 255.0.0.0 permit ip any any
3. I created an Authorization Profile called Internet_Only and applied the dACL above to this profile.
4. Then under Policy Sets > Wired, I created a new Policy for devices found in the Internet_Only_Group.
5. Lastly, I assigned a test laptop to the Identity Group --> Internet_Only_Group.
On the switch I can see the device authenticates with MAB and gets assigned the Internet_Only_ACL:
#show auth sess sess C0A80201000B2AE03A89A584 det Session id=C0A80201000B2AE03A89A584 Interface: GigabitEthernet7/24 MAC Address: 0050.b6eb.xxxx IPv6 Address: Unknown IPv4 Address: 10.60.110.203 User-Name: 00-50-B6-EB-XX-XX Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: C0A80201000B2AE03A89A584 Acct Session ID: 0x0008DF7D Handle: 0x3C000AE2 Current Policy: POLICY_Gi7/24 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecure Server Policies: ACS ACL: xACSACLx-IP-Internet_Only_ACL-5e444df0 Method status list: Method State dot1x Stopped mab Authc Success
So it appears to be authenticating properly and also receiving the correct auth profile containing the dACL. However, I am unable to reach anything on the Internet. I cannot reach anything internal, except I can ping the ISE server listed in the dACL. So at least that Permit statement appears to be working... I can also run DNS queries to our internal DNS server without issue.
Am I missing something with this dACL?
Thanks in Advance,
Solved! Go to Solution.
First off, the dACL appears to be fine and the session appears to be authenticated/authorized properly.
What type of switch is it? Can you also do a "show ip access-list int g7/24"? With older switches like the 6500/4500, I have seen issues where the dACL doesn't get applied properly in hardware/TCAM or in the right order. The ACL optimizer attempts to optimize the order and sometimes will mess it up. And it isn't on every port. It is hit and miss. If it is a newer switch, then that shouldn't be the issue.
Other issues could be outside of the switch such as a proxy server that is required to browse outside of the network. Is DNS resolving the external URL you are trying to get to? Internal firewall blocking the traffic?
Thanks for the "show ip access-list int gi7/24" command. Was able to use this to verify the correct ACL was being applied to this host. Much appreciated.