Solved: ISE dACL downloaded, but not applied to port

paul1202 · ‎10-12-2016

Hi,

I have configured ISE 2.1 and NAD, a 3650 switch to have a client download a dACL when authorised. The dACL is simply ip permit any any as I just want to see the dACL successfully working before making it specific.

I see the dACL is successfully downloaded to the Switch, but is not applied to the port where the client PC is attached.

Below is the config and testing performed.

aaa new-model
!
aaa group server radius ISE_Servers
server name sbrx-ise-a01
server name sbrx-ise-a02
!
aaa authentication login default none
aaa authentication login VTY group radius local
aaa authentication login ISE-Login group ISE_Servers local
aaa authentication dot1x default group ISE_Servers
aaa authorization console
aaa authorization exec default none
aaa authorization exec VTY group radius local
aaa authorization exec ISE-Login group ISE_Servers local if-authenticated
aaa authorization network default group ISE_Servers
aaa accounting exec default start-stop group ISE_Servers
!
aaa server radius dynamic-author
client 172.30.2.170 server-key 7 144621582E24292074272174
client 172.30.3.170 server-key 7 0257370829260C2A1C411B58
!
device-sensor accounting
device-sensor notify all-changes
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/12
switchport access vlan 120
switchport mode access
switchport voice vlan 102
no logging event link-status
no logging event power-inline-status
authentication event fail action next-method
authentication event server dead action authorize vlan 120
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 7200
authentication timer inactivity 180
authentication violation restrict
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
radius server sbrx-ise-a01
address ipv4 172.30.2.170 auth-port 1645 acct-port 1646
timeout 2
key 7 091D7D5A3B2514190F5C2B386A
!
radius server sbrx-ise-a02
address ipv4 172.30.3.170 auth-port 1645 acct-port 1646
timeout 2
key 7 101F3A4A273711000854053965
!

Test-Room-F#sh ip access-lists interface gigabitEthernet 1/0/12
Test-Room-F#

Test-Room-F#sh ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
    100 deny udp any any eq domain
    101 deny tcp any any eq domain
    102 deny udp any eq bootps any
    103 deny udp any any eq bootpc
    104 deny udp any eq bootpc any
    105 permit tcp any any eq www
Extended IP access list implicit_deny_acl
    10 deny ip any any
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910 (per-user)
    1 permit ip any any

Test-Room-F#sh authentication sessions interface gigabitEthernet 1/0/12 detail
            Interface: GigabitEthernet1/0/12
               IIF-ID: 0xC3CA4000000F34
          MAC Address: b05a.da3a.0b80
         IPv6 Address: Unknown
         IPv4 Address: 172.30.28.123
            User-Name: YYYY\xxxxx-xxxxx
               Status: Authorized
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
      Session timeout: 7200s (local), Remaining: 6895s
       Timeout action: Reauthenticate
      Restart timeout: N/A
       Session Uptime: 306s
    Common Session ID: AC1E01B7000013863DD2CF52
      Acct Session ID: Unknown
               Handle: 0x0C000E9B
       Current Policy: POLICY_Gi1/0/12

Local Policies:
Idle timeout: 180 sec
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

Method status list:
Method State

dot1x Authc Success
mab Stopped

Any thoughts on why I don't see the ip permit any any on gi1/0/12 after a successful authorisation much appreciated.

paul1202 · ‎10-14-2016

I have now found out that the c3650/c3850 switches do NOT support the show ip access-lists interface x/x command.

show platform acl definition and show auth sess int

View solution in original post

nspasov · ‎10-12-2016

Hi Paul-

A couple of questions:

1. What version of code are you running on the 3650?

2. Can you confirm that IP Device Tracking is NOT disabled? Perhaps even post the output from show ip device tracking

Thank you for rating helpful posts!

paul1202 · ‎10-13-2016

Hi Neno,

Thanks for your response.

The 3650's are running 15.2(2).E4.

I need to double check the current running configuration, but I'm pretty certain that ip device tracking has been enabled, but it does not show up in the config (possibly now the default option??).

I thought it was only used by the switch to substitute the dACL source address of ANY to the specific IP address of the host and shouldn't have any affect on it actually being applied.

I'll confirm tomorrow.

Thanks Paul

nspasov · ‎10-13-2016

IP Device Tracking did become a default command at some point of Cisco IOS but I don't remember the exact version. If you do "show run all" you can check all default commands that are in the running config. Or if you do "show ip device tracking" If that has any output then you are running it.

And yes, the dACL gets constructed based on the IP Address of the host and the destination address in the ACL. With that said, can you also post the dACL that you are pushing from ISE?

Thank you for rating helpful posts!

paul1202 · ‎10-13-2016

From my original post you will see that it is just a simple permit ip any any as I just want to prove and see it is being downloaded successfully before being more specific.

Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910 (per-user)
1 permit ip any any

paul1202 · ‎10-14-2016

Yes, as I thought, ip device tracking is enabled.

Test-Room-F#sh ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------------------------------
IP Address    MAC Address   Vlan Interface           Probe-Timeout      State    Source
-----------------------------------------------------------------------------------------------
172.30.7.183    0800.0f5e.7d81 102 GigabitEthernet1/0/26 30              ACTIVE   ARP
172.30.28.171   88ae.1db7.3780 120 GigabitEthernet1/0/26 30              ACTIVE   ARP
172.30.28.176   0018.1c01.964f 120 GigabitEthernet1/0/36 30              ACTIVE   ARP
172.30.28.139   3863.bbaf.a9b9 120 GigabitEthernet1/0/45 30              INACTIVE ARP
172.30.28.200   84b2.6102.c840 120 GigabitEthernet1/0/1   30              ACTIVE   ARP
172.30.4.49     0010.3603.2562 102 GigabitEthernet1/0/35 30              ACTIVE   ARP
172.30.28.123   b05a.da3a.0b80 120 GigabitEthernet1/0/12 30              ACTIVE   ARP

Total number interfaces enabled: 46
Enabled interfaces:
Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7,
Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14,
Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/20, Gi1/0/21, Gi1/0/22,
Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29,
Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36,
Gi1/0/37, Gi1/0/38, Gi1/0/39, Gi1/0/40, Gi1/0/41, Gi1/0/42, Gi1/0/43,
Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47

paul1202 · ‎10-14-2016

I have now found out that the c3650/c3850 switches do NOT support the show ip access-lists interface x/x command.

show platform acl definition and show auth sess int

pd-yca · ‎03-22-2017

Thanks for posting this,

Christian Faessler · ‎02-06-2020

Hi Paul

Have you ever managed to solve this issue?

I am currently having the same problem with ISE 2.4 (Patch 10) and a 2960X with 15.2(4)E6.

Cheers,

Christian

pnowikow · ‎06-08-2020

Hello,

I'm running ISE 2.6 patch 6 and have a similar issue. My ACLs were applied in ISE 2.3 however now that we are on ISE 2.6 patch 6 and I try to update one the switches don't see the change. Has anyone seen this? I to run 2960x model switches with code version 15.2(7)E2.

Thanks,

Pete

sdfgdfgfddfdfgdf · ‎10-01-2020

Same here, but I am told that the issue is intermittent.

Any help much appreciated, debugs I can use, etc.

C2960X 15.2(6)E

ISE 2.4 Patch 5

ISE live logs says the dacl was sent to the switch successfully.

"show ip access-list interface gix/x/x" shows a default pre-auth acl instead.

Colby LeMaire · ‎10-01-2020

With dACL's, you must have IP Device Tracking enabled. If the switch is unable to determine the endpoint's IP address, the dACL cannot be applied. Do a "show auth sess int gx/y detail" to see if the authentication/authorization is successful and whether or not the ACL is applied. In that output, make sure the IPv4 field has a correct IP address. Then make sure the status shows authorized. Towards the bottom of that output, you will see what policies were applied from the server. It should show the ACL there with some random naming to keep it unique to the session. You can then do a show ip access-list <name> using that ACL name that shows up in that output. That would be the ACL that is applied to that particular endpoint's session.

If you don't see the session authorized in the show auth sess int gx/y detail output, then something is not working right. Could be authentication failed or the policy from the server could not be applied. For example, if you are trying to do VLAN assignment but the VLAN does not exist on the switch, authorization fails even though authentication was successful. If you are pushing a dACL that has incorrect syntax, that will fail as well. Finally, if there is no IPv4 address shown in that output, then the switch cannot apply the dACL.

abdallah.hanouh · ‎02-17-2021

Thanks

In my cas the VLAN was not defined in my switch.

So after adding the VLAN, it works perfactley.

Thanks

jijain · ‎07-22-2021

Hi All,

I am facing a similar issue.I am having my ISE , Windows 7 machine & vSwitch image ( IOU) inside eve-ng.I see the dacl & VLAN 10 downloaded to the switch but could not see the dacl on the interface.The reason i understand is that switch has not learned endpoint ip address .But i see the status as authorized also could see the ip access list in cli show ip acces-list.

SW-P#show authentication sessions interface gigabitEthernet 1/2 details
Interface: GigabitEthernet1/2
MAC Address: 5000.0006.0000
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: user
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1001FE0000000C00025B70
Acct Session ID: 0x00000002
Handle: 0x61000001
Current Policy: POLICY_Gi1/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Vlan Group: Vlan: 10
Security Policy: None

Security Status: Link Unsecure

Method status list:
Method State
dot1x Authc Success

SW-P#show ip access-lists
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3 (per-user)
1 permit ip any any

SW-P#show ip device tracking interface gigabitEthernet 1/2
--------------------------------------------
Interface GigabitEthernet1/2 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_SM
--------------------------------------------

Kindly let me know what is the issue...

Thanks,

Jitendra

jijain · ‎07-22-2021

Issue is resolved..