cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

887
Views
5
Helpful
6
Replies
MALi-786
Beginner

Is there a way to debug DACL pushed from ISE??

ISE is pushing DACL on a switch port but my required communication is not working. Just wondering if there is a way I can debug or see what is being blocked by this DACL??? 

 

Kindly help.

1 ACCEPTED SOLUTION

Accepted Solutions
Rami Ibrahim
Beginner

Hi,

 

You can verify DACL received using:

  1. show authentications session interface <int>
  2. show epm session ip <client_ip>

copy the ACL name and use show access list <DACL_name> to verify the entries.

 

Now, either the switch didn't download DACL entries or the DACL was successfully downloaded but the actual DACL is not having the right entries. you can use debug aaa authentication and flap the port to see this communication also note that you should have logging to buffered to prevent huge output from overloading the console.

 

Make sure ip device tracking is enabled on the port and the switch is configured with the command <radius-server vsa send authentication>

 

View solution in original post

6 REPLIES 6
balaji.bandi
VIP Master

you need to understand here how the ACL pushed to end device or port based on the identity :

 

https://ipdemystify.com/2020/08/21/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/

 

 

The question to be asked here :

 - is this ever worked or new setup ?

 

1. is this only 1 port or any user Logged in from Switch not able to work?

2. other switches working as expected ?

3. what is the model of the switch and version, what is the ISE version here?

 

here is my notes from my docs :

 

dACL's, you must have IP Device Tracking enabled.  If the switch is unable to determine the endpoint's IP address, the dACL cannot be applied.  Do a "show auth sess int gx/y detail" to see if the authentication/authorization is successful and whether or not the ACL is applied.  In that output, make sure the IPv4 field has a correct IP address.  Then make sure the status shows authorized.  Towards the bottom of that output, you will see what policies were applied from the server.  It should show the ACL there with some random naming to keep it unique to the session.  You can then do a show ip access-list <name> using that ACL name that shows up in that output.  That would be the ACL that is applied to that particular endpoint's session.

If you don't see the session authorized in the show auth sess int gx/y detail output, then something is not working right.  Could be authentication failed or the policy from the server could not be applied.  For example, if you are trying to do VLAN assignment but the VLAN does not exist on the switch, authorization fails even though authentication was successful.  If you are pushing a dACL that has incorrect syntax, that will fail as well.  Finally, if there is no IPv4 address shown in that output, then the switch cannot apply the dACL.

 

 

make sense?

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

DACL is applied but I need to know how to debug it so I can know what is being blocked by this DACL.

Actually I am testing a new scenario in which I am allowing user to access only few services. 

Now In my case services are allowed but there is some communication issue observed due to DACL and I need to know what is being blocked. I am allowing AD with all ports (For Testing) and in last I am putting deny statement. When I changed from deny to allow (last line) everything starts working..

Rami Ibrahim
Beginner

Hi,

 

You can verify DACL received using:

  1. show authentications session interface <int>
  2. show epm session ip <client_ip>

copy the ACL name and use show access list <DACL_name> to verify the entries.

 

Now, either the switch didn't download DACL entries or the DACL was successfully downloaded but the actual DACL is not having the right entries. you can use debug aaa authentication and flap the port to see this communication also note that you should have logging to buffered to prevent huge output from overloading the console.

 

Make sure ip device tracking is enabled on the port and the switch is configured with the command <radius-server vsa send authentication>

 

View solution in original post

Hi, what you said is not related to my issue.

In my case, DACL is applied but due to some reasons new user can't login on a same machine. So I need to debug DACL to see what is being blocked... 

Hi, Remove the DACL and configure a regular ACL on the switchport with the same entries + deny ip any any log at the end 

 

this way you can see what is being denied since I don't think logging is supported with DACL.

 

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel