Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4350
Views
11
Helpful
6
Replies

Is there a way to debug DACL pushed from ISE??

Go to solution
MALi-786
Level 1
Level 1

‎06-12-2021 11:54 PM

ISE is pushing DACL on a switch port but my required communication is not working. Just wondering if there is a way I can debug or see what is being blocked by this DACL??? 

 

Kindly help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rami Ibrahim
Level 1
Level 1

‎06-13-2021 04:52 AM - edited ‎06-13-2021 04:53 AM

Hi,

 

You can verify DACL received using:

  1. show authentications session interface <int>
  2. show epm session ip <client_ip>

copy the ACL name and use show access list <DACL_name> to verify the entries.

 

Now, either the switch didn't download DACL entries or the DACL was successfully downloaded but the actual DACL is not having the right entries. you can use debug aaa authentication and flap the port to see this communication also note that you should have logging to buffered to prevent huge output from overloading the console.

 

Make sure ip device tracking is enabled on the port and the switch is configured with the command <radius-server vsa send authentication>

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-13-2021 01:50 AM

you need to understand here how the ACL pushed to end device or port based on the identity :

 

https://ipdemystify.com/2020/08/21/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/

 

 

The question to be asked here :

 - is this ever worked or new setup ?

 

1. is this only 1 port or any user Logged in from Switch not able to work?

2. other switches working as expected ?

3. what is the model of the switch and version, what is the ISE version here?

 

here is my notes from my docs :

 

dACL's, you must have IP Device Tracking enabled.  If the switch is unable to determine the endpoint's IP address, the dACL cannot be applied.  Do a "show auth sess int gx/y detail" to see if the authentication/authorization is successful and whether or not the ACL is applied.  In that output, make sure the IPv4 field has a correct IP address.  Then make sure the status shows authorized.  Towards the bottom of that output, you will see what policies were applied from the server.  It should show the ACL there with some random naming to keep it unique to the session.  You can then do a show ip access-list <name> using that ACL name that shows up in that output.  That would be the ACL that is applied to that particular endpoint's session.

If you don't see the session authorized in the show auth sess int gx/y detail output, then something is not working right.  Could be authentication failed or the policy from the server could not be applied.  For example, if you are trying to do VLAN assignment but the VLAN does not exist on the switch, authorization fails even though authentication was successful.  If you are pushing a dACL that has incorrect syntax, that will fail as well.  Finally, if there is no IPv4 address shown in that output, then the switch cannot apply the dACL.

 

 

make sense?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MALi-786
Level 1
Level 1
In response to balaji.bandi

‎06-28-2021 08:31 AM

DACL is applied but I need to know how to debug it so I can know what is being blocked by this DACL.

0 Helpful

Go to solution
MALi-786
Level 1
Level 1
In response to balaji.bandi

‎06-28-2021 08:43 AM

Actually I am testing a new scenario in which I am allowing user to access only few services. 

Now In my case services are allowed but there is some communication issue observed due to DACL and I need to know what is being blocked. I am allowing AD with all ports (For Testing) and in last I am putting deny statement. When I changed from deny to allow (last line) everything starts working..

0 Helpful

Go to solution
Rami Ibrahim
Level 1
Level 1

‎06-13-2021 04:52 AM - edited ‎06-13-2021 04:53 AM

Hi,

 

You can verify DACL received using:

  1. show authentications session interface <int>
  2. show epm session ip <client_ip>

copy the ACL name and use show access list <DACL_name> to verify the entries.

 

Now, either the switch didn't download DACL entries or the DACL was successfully downloaded but the actual DACL is not having the right entries. you can use debug aaa authentication and flap the port to see this communication also note that you should have logging to buffered to prevent huge output from overloading the console.

 

Make sure ip device tracking is enabled on the port and the switch is configured with the command <radius-server vsa send authentication>

 

Go to solution
MALi-786
Level 1
Level 1
In response to Rami Ibrahim

‎06-28-2021 08:30 AM

Hi, what you said is not related to my issue.

In my case, DACL is applied but due to some reasons new user can't login on a same machine. So I need to debug DACL to see what is being blocked... 

0 Helpful

Go to solution
Rami Ibrahim
Level 1
Level 1
In response to MALi-786

‎06-28-2021 11:44 PM

Hi, Remove the DACL and configure a regular ACL on the switchport with the same entries + deny ip any any log at the end 

 

this way you can see what is being denied since I don't think logging is supported with DACL.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents