Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
0
Helpful
3
Replies

ISE 802.1x port default access list issue

Go to solution
Maurice Ball
Level 3
Level 3

‎10-15-2019 02:36 AM

I have noticed an issue with clients connecting to the network when I apply a default access list to a 802.1x port. The default access list look as if it takes presence on the port over the DACL. If I remove the default access list the clients can connect to all network resources without any issue but if the default access list is applied to the port the clients have no network access.

 

Have anyone experience this issue and knows how to resolve it?

 

 

interface GigabitEthernet0/2

description TEST PC 802.1x CONNECTION

switchport access vlan 32

switchport mode access

ip access-list ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 32

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 20

 

 

nosw-31j-as02#show authentication sessions int g0/2

            Interface:  GigabitEthernet0/2

          MAC Address:  c8d9.d2d2.8524

           IP Address:  Unknown

            User-Name:  8x8Test@laerdal.com

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0AB73E2A00000097B9D5203A

      Acct Session ID:  0x00000BA7

               Handle:  0xBE000097

 

Runnable methods list:

       Method   State

       dot1x    Authc Success

       mab      Not run

 

nosw-31j-as02#show acc

nosw-31j-as02#show acces

nosw-31j-as02#show access-lists xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254

Extended IP access list xACSACLx-IP-WIDED_DACL_PERMIT_ANY-5d84c254 (per-user)

    10 permit ip any any

    20 permit icmp any any

    30 permit udp any any

    40 permit tcp any any

 

 

ip access-list extended ACL-DEFAULT

permit udp any any eq domain

permit ip any host 10.183.18.247

permit ip any host 10.183.18.248

permit udp any eq bootpc any eq bootps

permit ip any host 10.183.18.250

permit ip any host 10.181.1.115

permit ip any host 10.183.18.150

permit ip any host 128.1.11.31

permit ip any host 10.181.1.34

permit ip any host 10.181.1.40

permit ip any host 172.16.0.24

permit ip any host 10.183.18.88

permit icmp any any

deny   ip any any log

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CarlCarlson1234
Level 1
Level 1

‎10-15-2019 08:05 AM

In my experience this is almost always an IOS bug, where the the session manager shows that the DACL is applied but does not actually pre-pend it to the port acl. I would suggest a tac case.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
CarlCarlson1234
Level 1
Level 1

‎10-15-2019 08:05 AM

In my experience this is almost always an IOS bug, where the the session manager shows that the DACL is applied but does not actually pre-pend it to the port acl. I would suggest a tac case.
0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to CarlCarlson1234

‎10-15-2019 01:10 PM

That is what I was thinking also. The only issue is it will forward traffic without any issue with the default access list applied to the port if I connect one of the Lenovo laptops to the port. It fails to forward traffic when I connect a HP Elite laptop or a HP printer if the default access list is applied to the port.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to CarlCarlson1234

‎10-22-2019 01:27 AM

also make sure to be following the prescriptive wired guide - https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
this can also happen when ip device tracking is not enabled
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents