Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2814
Views
20
Helpful
6
Replies

Internet Only dACL for Wired Devices

Go to solution
Matthew Martin
Level 5
Level 5

‎02-12-2020 12:49 PM

Hello All,

ISE: v2.3

We started running into a new issue where we have some wired devices in the building that do not require internal access, only internet. Like a few smart TVs, video conferencing equipment, etc... So I did the following, but the dACL doesn't appear to be working as expected, even though the switch is showing me the test device received the dACL.

1. I created a new Identity Group in ISE called Internet_Only_Group, that I would manually add these devices to.

2. I created this dACL below called Internet_Only_ACL. The one full IP listed below is one of the ISE servers:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 192.168.2.49
deny ip any 192.168.0.0 255.255.0.0
deny ip any 10.0.0.0 255.0.0.0
permit ip any any

3. I created an Authorization Profile called Internet_Only and applied the dACL above to this profile.

4. Then under Policy Sets > Wired, I created a new Policy for devices found in the Internet_Only_Group.

5. Lastly, I assigned a test laptop to the Identity Group --> Internet_Only_Group.

 

On the switch I can see the device authenticates with MAB and gets assigned the Internet_Only_ACL:

#show auth sess sess C0A80201000B2AE03A89A584 det
Session id=C0A80201000B2AE03A89A584
            Interface:  GigabitEthernet7/24
          MAC Address:  0050.b6eb.xxxx
         IPv6 Address:  Unknown
         IPv4 Address:  10.60.110.203
            User-Name:  00-50-B6-EB-XX-XX
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  C0A80201000B2AE03A89A584
      Acct Session ID:  0x0008DF7D
               Handle:  0x3C000AE2
       Current Policy:  POLICY_Gi7/24

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:
              ACS ACL:  xACSACLx-IP-Internet_Only_ACL-5e444df0

Method status list:
       Method           State
       dot1x            Stopped
       mab              Authc Success

So it appears to be authenticating properly and also receiving the correct auth profile containing the dACL. However, I am unable to reach anything on the Internet. I cannot reach anything internal, except I can ping the ISE server listed in the dACL. So at least that Permit statement appears to be working... I can also run DNS queries to our internal DNS server without issue.

Am I missing something with this dACL?

 

Thanks in Advance,

Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎02-12-2020 01:25 PM

Its wild cards not subnet masks there btw which are used in ACLs which could potentially block everything to the internet as per your configuration.

View solution in original post

6 Replies 6

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-12-2020 01:09 PM

First off, the dACL appears to be fine and the session appears to be authenticated/authorized properly.

What type of switch is it?  Can you also do a "show ip access-list int g7/24"?  With older switches like the 6500/4500, I have seen issues where the dACL doesn't get applied properly in hardware/TCAM or in the right order.  The ACL optimizer attempts to optimize the order and sometimes will mess it up.  And it isn't on every port.  It is hit and miss.  If it is a newer switch, then that shouldn't be the issue.

Other issues could be outside of the switch such as a proxy server that is required to browse outside of the network.  Is DNS resolving the external URL you are trying to get to?  Internal firewall blocking the traffic?

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Colby LeMaire

‎02-12-2020 01:37 PM - edited ‎02-12-2020 01:41 PM

Thanks for the "show ip access-list int gi7/24" command. Was able to use this to verify the correct ACL was being applied to this host. Much appreciated.

-Matt

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎02-12-2020 01:25 PM

Its wild cards not subnet masks there btw which are used in ACLs which could potentially block everything to the internet as per your configuration.

Go to solution
Matthew Martin
Level 5
Level 5
In response to Surendra

‎02-12-2020 01:40 PM

Ah ha. Thank you. Switching the 2 lines in the ACL to the following, and it appears to be working now!

deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255

One last question. Would there be any reason to include any type of permit statement to ISE in the dACL?

-Matt

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Matthew Martin

‎02-12-2020 02:16 PM

It is needed when you have features which require redirection to the ISE example : Guest/BYOD/Posture etc. If none, then you can omit them.

Go to solution
Matthew Martin
Level 5
Level 5
In response to Surendra

‎02-12-2020 02:44 PM

Ok, thanks for the info. Much appreciated!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents