Hi,
I have configured ISE 2.1 and NAD, a 3650 switch to have a client download a dACL when authorised. The dACL is simply ip permit any any as I just want to see the dACL successfully working before making it specific.
I see the dACL is successfully downloaded to the Switch, but is not applied to the port where the client PC is attached.
Below is the config and testing performed.
aaa new-model
!
aaa group server radius ISE_Servers
server name sbrx-ise-a01
server name sbrx-ise-a02
!
aaa authentication login default none
aaa authentication login VTY group radius local
aaa authentication login ISE-Login group ISE_Servers local
aaa authentication dot1x default group ISE_Servers
aaa authorization console
aaa authorization exec default none
aaa authorization exec VTY group radius local
aaa authorization exec ISE-Login group ISE_Servers local if-authenticated
aaa authorization network default group ISE_Servers
aaa accounting exec default start-stop group ISE_Servers
!
aaa server radius dynamic-author
client 172.30.2.170 server-key 7 144621582E24292074272174
client 172.30.3.170 server-key 7 0257370829260C2A1C411B58
!
device-sensor accounting
device-sensor notify all-changes
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/12
switchport access vlan 120
switchport mode access
switchport voice vlan 102
no logging event link-status
no logging event power-inline-status
authentication event fail action next-method
authentication event server dead action authorize vlan 120
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 7200
authentication timer inactivity 180
authentication violation restrict
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
radius server sbrx-ise-a01
address ipv4 172.30.2.170 auth-port 1645 acct-port 1646
timeout 2
key 7 091D7D5A3B2514190F5C2B386A
!
radius server sbrx-ise-a02
address ipv4 172.30.3.170 auth-port 1645 acct-port 1646
timeout 2
key 7 101F3A4A273711000854053965
!
Test-Room-F#sh ip access-lists interface gigabitEthernet 1/0/12
Test-Room-F#
Test-Room-F#sh ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list implicit_deny_acl
10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910 (per-user)
1 permit ip any any
Test-Room-F#sh authentication sessions interface gigabitEthernet 1/0/12 detail
Interface: GigabitEthernet1/0/12
IIF-ID: 0xC3CA4000000F34
MAC Address: b05a.da3a.0b80
IPv6 Address: Unknown
IPv4 Address: 172.30.28.123
User-Name: YYYY\xxxxx-xxxxx
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 7200s (local), Remaining: 6895s
Timeout action: Reauthenticate
Restart timeout: N/A
Session Uptime: 306s
Common Session ID: AC1E01B7000013863DD2CF52
Acct Session ID: Unknown
Handle: 0x0C000E9B
Current Policy: POLICY_Gi1/0/12
Local Policies:
Idle timeout: 180 sec
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Method status list:
Method State
dot1x Authc Success
mab Stopped
Any thoughts on why I don't see the ip permit any any on gi1/0/12 after a successful authorisation much appreciated.
