cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

10720
Views
15
Helpful
14
Replies
paul1202
Beginner

ISE dACL downloaded, but not applied to port

Hi,

I have configured ISE 2.1 and NAD, a 3650 switch to have a client download a dACL when authorised. The dACL is simply ip permit any any as I just want to see the dACL successfully working before making it specific.

I see the dACL is successfully downloaded to the Switch, but is not applied to the port where the client PC is attached.

Below is the config and testing performed.

aaa new-model
!
aaa group server radius ISE_Servers
 server name sbrx-ise-a01
 server name sbrx-ise-a02
!
aaa authentication login default none
aaa authentication login VTY group radius local
aaa authentication login ISE-Login group ISE_Servers local
aaa authentication dot1x default group ISE_Servers
aaa authorization console
aaa authorization exec default none
aaa authorization exec VTY group radius local
aaa authorization exec ISE-Login group ISE_Servers local if-authenticated
aaa authorization network default group ISE_Servers
aaa accounting exec default start-stop group ISE_Servers
!                
aaa server radius dynamic-author
 client 172.30.2.170 server-key 7 144621582E24292074272174
 client 172.30.3.170 server-key 7 0257370829260C2A1C411B58
!
device-sensor accounting
device-sensor notify all-changes
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/12
 switchport access vlan 120
 switchport mode access
 switchport voice vlan 102
 no logging event link-status
 no logging event power-inline-status
 authentication event fail action next-method
 authentication event server dead action authorize vlan 120
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 7200
 authentication timer inactivity 180
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
radius server sbrx-ise-a01
 address ipv4 172.30.2.170 auth-port 1645 acct-port 1646
 timeout 2
 key 7 091D7D5A3B2514190F5C2B386A
!
radius server sbrx-ise-a02
 address ipv4 172.30.3.170 auth-port 1645 acct-port 1646
 timeout 2
 key 7 101F3A4A273711000854053965
!

Test-Room-F#sh ip access-lists interface gigabitEthernet 1/0/12
Test-Room-F#

Test-Room-F#sh ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
    100 deny udp any any eq domain
    101 deny tcp any any eq domain
    102 deny udp any eq bootps any
    103 deny udp any any eq bootpc
    104 deny udp any eq bootpc any
    105 permit tcp any any eq www
Extended IP access list implicit_deny_acl
    10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910 (per-user)
    1 permit ip any any

Test-Room-F#sh authentication sessions interface gigabitEthernet 1/0/12 detail
            Interface:  GigabitEthernet1/0/12
               IIF-ID:  0xC3CA4000000F34 
          MAC Address:  b05a.da3a.0b80
         IPv6 Address:  Unknown
         IPv4 Address:  172.30.28.123
            User-Name:  YYYY\xxxxx-xxxxx
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  7200s (local), Remaining: 6895s
       Timeout action:  Reauthenticate
      Restart timeout:  N/A
       Session Uptime:  306s
    Common Session ID:  AC1E01B7000013863DD2CF52
      Acct Session ID:  Unknown
               Handle:  0x0C000E9B
       Current Policy:  POLICY_Gi1/0/12

Local Policies:
         Idle timeout:  180 sec
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

         
Server Policies:
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

Method status list:
       Method           State

       dot1x            Authc Success
       mab              Stopped

Any thoughts on why I don't see the ip permit any any on gi1/0/12  after a successful authorisation much appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

I have now found out that the c3650/c3850 switches do NOT support  the show ip access-lists interface x/x command.

show platform acl definition and show auth sess int

View solution in original post

14 REPLIES 14
nspasov
Cisco Employee

Hi Paul-

A couple of questions:

1. What version of code are you running on the 3650?

2. Can you confirm that IP Device Tracking is NOT disabled? Perhaps even post the output from show ip device tracking

Thank you for rating helpful posts!

Hi Neno,

Thanks for your response.

The 3650's are running 15.2(2).E4.

I need to double check the current running configuration, but I'm pretty certain that ip device tracking has been enabled, but it does not show up in the config (possibly now the default option??).

I thought it was only used by the switch to substitute the dACL source address of ANY to the specific IP address of the host and shouldn't have any affect on it actually being applied.

I'll confirm tomorrow.

Thanks Paul

IP Device Tracking did become a default command at some point of Cisco IOS but I don't remember the exact version. If you do "show run all" you can check all default commands that are in the running config. Or if you do "show ip device tracking" If that has any output then you are running it. 

And yes, the dACL gets constructed based on the IP Address of the host and the destination address in the ACL. With that said, can you also post the dACL that you are pushing from ISE?

Thank you for rating helpful posts!

From my original post you will see that it is just a simple permit ip any any as I just want to prove and see it is being downloaded successfully before being more specific.

Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910 (per-user)
    1 permit ip any any

Yes, as I thought, ip device tracking is enabled.

Test-Room-F#sh ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------------------------------
  IP Address    MAC Address   Vlan  Interface           Probe-Timeout      State    Source
-----------------------------------------------------------------------------------------------
172.30.7.183    0800.0f5e.7d81 102  GigabitEthernet1/0/26  30              ACTIVE   ARP
172.30.28.171   88ae.1db7.3780 120  GigabitEthernet1/0/26  30              ACTIVE   ARP
172.30.28.176   0018.1c01.964f 120  GigabitEthernet1/0/36  30              ACTIVE   ARP
172.30.28.139   3863.bbaf.a9b9 120  GigabitEthernet1/0/45  30              INACTIVE ARP
172.30.28.200   84b2.6102.c840 120  GigabitEthernet1/0/1   30              ACTIVE   ARP
172.30.4.49     0010.3603.2562 102  GigabitEthernet1/0/35  30              ACTIVE   ARP
172.30.28.123   b05a.da3a.0b80 120  GigabitEthernet1/0/12  30              ACTIVE   ARP

Total number interfaces enabled: 46
Enabled interfaces:
  Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7,
  Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14,
  Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/20, Gi1/0/21, Gi1/0/22,
  Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29,
  Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36,
  Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/43,
  Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47

I have now found out that the c3650/c3850 switches do NOT support  the show ip access-lists interface x/x command.

show platform acl definition and show auth sess int

View solution in original post

Thanks for posting this,

Hi Paul

 

Have you ever managed to solve this issue?

 

I am currently having the same problem with ISE 2.4 (Patch 10) and a 2960X with 15.2(4)E6.

 

Cheers,

 

Christian

Hello,

I'm running ISE 2.6 patch 6 and have a similar issue.  My ACLs were applied in ISE 2.3 however now that we are on ISE 2.6 patch 6 and I try to update one the switches don't see the change.  Has anyone seen this?  I to run 2960x model switches with code version 15.2(7)E2.

Thanks,

Pete

sdfgdfgfddfdfgdf
Beginner

Same here, but I am told that the issue is intermittent.

Any help much appreciated, debugs I can use, etc.

C2960X 15.2(6)E

ISE 2.4 Patch 5

 

ISE live logs says the dacl was sent to the switch successfully.

"show ip access-list interface gix/x/x" shows a default pre-auth acl instead.

 

With dACL's, you must have IP Device Tracking enabled.  If the switch is unable to determine the endpoint's IP address, the dACL cannot be applied.  Do a "show auth sess int gx/y detail" to see if the authentication/authorization is successful and whether or not the ACL is applied.  In that output, make sure the IPv4 field has a correct IP address.  Then make sure the status shows authorized.  Towards the bottom of that output, you will see what policies were applied from the server.  It should show the ACL there with some random naming to keep it unique to the session.  You can then do a show ip access-list <name> using that ACL name that shows up in that output.  That would be the ACL that is applied to that particular endpoint's session.

If you don't see the session authorized in the show auth sess int gx/y detail output, then something is not working right.  Could be authentication failed or the policy from the server could not be applied.  For example, if you are trying to do VLAN assignment but the VLAN does not exist on the switch, authorization fails even though authentication was successful.  If you are pushing a dACL that has incorrect syntax, that will fail as well.  Finally, if there is no IPv4 address shown in that output, then the switch cannot apply the dACL.

Thanks

In my cas the VLAN was not defined in my switch.

So after adding the VLAN, it works perfactley.

Thanks

jijain
Cisco Employee

Hi All,

 

I am facing a similar issue.I am having my ISE , Windows 7 machine & vSwitch image ( IOU) inside eve-ng.I see the dacl & VLAN 10 downloaded to the switch but could not see the dacl on the interface.The reason i understand is that switch has not learned endpoint ip address .But i see the status as authorized also could see the ip access list in cli show ip acces-list.

 

SW-P#show authentication sessions interface gigabitEthernet 1/2 details
Interface: GigabitEthernet1/2
MAC Address: 5000.0006.0000
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: user
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1001FE0000000C00025B70
Acct Session ID: 0x00000002
Handle: 0x61000001
Current Policy: POLICY_Gi1/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Vlan Group: Vlan: 10
Security Policy: None

Security Status: Link Unsecure

Method status list:
Method State
dot1x Authc Success

 

SW-P#show ip access-lists
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3 (per-user)
1 permit ip any any

 

 

SW-P#show ip device tracking interface gigabitEthernet 1/2
--------------------------------------------
Interface GigabitEthernet1/2 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_SM
--------------------------------------------

 

Kindly let me know what is the issue...

 

Thanks,

Jitendra

jijain
Cisco Employee

Issue is resolved..

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel