Solved: ISE 802.1x port default access list issue

Maurice Ball · ‎10-15-2019

I have noticed an issue with clients connecting to the network when I apply a default access list to a 802.1x port. The default access list look as if it takes presence on the port over the DACL. If I remove the default access list the clients can connect to all network resources without any issue but if the default access list is applied to the port the clients have no network access.

Have anyone experience this issue and knows how to resolve it?

interface GigabitEthernet0/2

description TEST PC 802.1x CONNECTION

switchport access vlan 32

switchport mode access

ip access-list ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 32

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 20

nosw-31j-as02#show authentication sessions int g0/2

Interface: GigabitEthernet0/2

MAC Address: c8d9.d2d2.8524

IP Address: Unknown

User-Name: 8x8Test@laerdal.com

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0AB73E2A00000097B9D5203A

Acct Session ID: 0x00000BA7

Handle: 0xBE000097

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

nosw-31j-as02#show acc

nosw-31j-as02#show acces

nosw-31j-as02#show access-lists xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254

Extended IP access list xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254 (per-user)

10 permit ip any any

20 permit icmp any any

30 permit udp any any

40 permit tcp any any

ip access-list extended ACL-DEFAULT

permit udp any any eq domain

permit ip any host 10.183.18.247

permit ip any host 10.183.18.248

permit udp any eq bootpc any eq bootps

permit ip any host 10.183.18.250

permit ip any host 10.181.1.115

permit ip any host 10.183.18.150

permit ip any host 128.1.11.31

permit ip any host 10.181.1.34

permit ip any host 10.181.1.40

permit ip any host 172.16.0.24

permit ip any host 10.183.18.88

permit icmp any any

deny ip any any log

CarlCarlson1234 · ‎10-15-2019

In my experience this is almost always an IOS bug, where the the session manager shows that the DACL is applied but does not actually pre-pend it to the port acl. I would suggest a tac case.

View solution in original post

CarlCarlson1234 · ‎10-15-2019

In my experience this is almost always an IOS bug, where the the session manager shows that the DACL is applied but does not actually pre-pend it to the port acl. I would suggest a tac case.

Maurice Ball · ‎10-15-2019

That is what I was thinking also. The only issue is it will forward traffic without any issue with the default access list applied to the port if I connect one of the Lenovo laptops to the port. It fails to forward traffic when I connect a HP Elite laptop or a HP printer if the default access list is applied to the port.

Jason Kunst · ‎10-22-2019

also make sure to be following the prescriptive wired guide - https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
this can also happen when ip device tracking is not enabled