This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm checking out the ISE in a test environment.
I have sucessfully authenticated my PC already by 802.1x PEAP.
Now i plan to go further and to use DACLs, but there seems to be an isse I don't see...
for example I configured that DACL, once I enable it I'm no longer authenticates after restarting the process (Disable - enable my nic). when I use the default DACL permit ip any any it works also when I change my DACL to that. Any idea why my DACL makes trouble?
permit tcp any host 10.x.y.208 eq 22
permit tcp any host 10.a.b.110 eq 443
My Switch is maybe the problem? do I need IP-base, I don't find that info by now.
|Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C2960S-24PS-L 15.2(2)E3 C2960S-UNIVERSALK9-M
Index 1 Feature: lanlite
Period left: 0 minute 0 second
Index 2 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Any idea would be great.
LAN Base shoudl be enough to support your configuraiton. In the future you can reference the ISE Compatibility Matrix:
With regards, to your problem, I have a few quesitons/requests:
1. Are you saying that everything works as long as the DACL is permit ip any any ?
2. Can you post the following output from your switch:
- AAA configs
- Port config (where the endpoint is connecting)
- Output of show authentication session interface x/y detail
- Screenshot of your DACL that you are pushing
- Screenshot of the Authorizatoin Profile that you are pushing to that session
Thank you for rating helpful posts!
1. Yes thats what I'm saying
2. below the outputs.
sh run | incl aaa
aaa group server radius ISE_GROUP
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization configuration default group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa server radius dynamic-author
aaa session-id common
sh run int gi 1/0/14
switchport access vlan 108
switchport mode access
ip access-group PreAuth in
no logging event link-status
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
no snmp trap link-status
dot1x pae authenticator
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree bpduguard enable
show authentication session interface gi 1/0/14 detail
MAC Address: fc15.b4eb.b39b
IPv6 Address: Unknown
IPv4 Address: 10.x.108.25
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0102D000000049215E928E
Acct Session ID: 0x000004C8
Current Policy: POLICY_Gi1/0/14
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
ACS ACL: xACSACLx-IP-test_helmer-565423b2
Method status list:
dot1x Authc Success
So according to the logs your authenticatoin and authorization is succeeding. Can you give me more details on what is not working? Your original comment said that authenticaiton is failing but according to the logs that you posted that is not the case.
Also, post the output from show ip access-list interface g1/0/14 and see if the proper DACL is being applied.
Thank you for rating helpful posts!
Thanks to all, I will also rate later...
yesterday I got another hint that fixed that problem.
Due to my pre-ACL on that Port DHCP ist working and ping for test etc. that's not the issue.
it was somthing like DHCP snooping, so my switch does not seet he IPs/Macs configured in the DACL as well as radius commands should be added thats why it was not working after I got authenticated and my IP via DHCP etc. Thats what I understand of that I will check in more details later to really understand that.
after I got the necessary commands it works..
thanks to all of you..
radius-server attribute 6 on-for-login-auth
ip device tracking probe delay 10
do you need the ```ip device tracking probe delay 10``` also ?
I sometimes discover problems. Then ip device tracking does not show the client IP.
But we can not discover any problems with duplicate ip address detection.
Afaik, the workaround for this problem is the 10 second probe delay.
Are you on a static address??
You dont have anything to allow DHCP, so when your client device connects they dont have an address.