Hi,

Sebastian Helmer · ‎11-24-2015

Hi there,

I'm checking out the ISE in a test environment.

I have sucessfully authenticated my PC already by 802.1x PEAP.

Now i plan to go further and to use DACLs, but there seems to be an isse I don't see...

for example I configured that DACL, once I enable it I'm no longer authenticates after restarting the process (Disable - enable my nic). when I use the default DACL permit ip any any it works also when I change my DACL to that. Any idea why my DACL makes trouble?

permit tcp any host 10.x.y.208 eq 22

permit tcp any host 10.a.b.110 eq 443

My Switch is maybe the problem? do I need IP-base, I don't find that info by now.

Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 28    WS-C2960S-24PS-L          15.2(2)E3             C2960S-UNIVERSALK9-M

sh license
Index 1 Feature: lanlite
        Period left: 0 minute 0 second
Index 2 Feature: lanbase
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
        License Count: Non-Counted

Any idea would be great.

Sebastian

nspasov · ‎11-27-2015

LAN Base shoudl be enough to support your configuraiton. In the future you can reference the ISE Compatibility Matrix:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/compatibility/ise_sdt.html

With regards, to your problem, I have a few quesitons/requests:

1. Are you saying that everything works as long as the DACL is permit ip any any ?

2. Can you post the following output from your switch:

- AAA configs

- Port config (where the endpoint is connecting)

- Output of show authentication session interface x/y detail

- Screenshot of your DACL that you are pushing

- Screenshot of the Authorizatoin Profile that you are pushing to that session

Thank you for rating helpful posts!

Sebastian Helmer · ‎11-30-2015

1. Yes thats what I'm saying

2. below the outputs.

sh run | incl aaa

aaa new-model
aaa group server radius ISE_GROUP
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization configuration default group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa server radius dynamic-author
aaa session-id common

sh run int gi 1/0/14

interface GigabitEthernet1/0/14
description **802.1x-Test**
switchport access vlan 108
switchport mode access
ip access-group PreAuth in
no logging event link-status
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable

show authentication session interface gi 1/0/14 detail
            Interface: GigabitEthernet1/0/14
          MAC Address: fc15.b4eb.b39b
         IPv6 Address: Unknown
         IPv4 Address: 10.x.108.25
            User-Name: host/MD02RS0025.dom02.net
               Status: Authorized
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
      Session timeout: N/A
    Common Session ID: 0A0102D000000049215E928E
      Acct Session ID: 0x000004C8
               Handle: 0xBF00003B
       Current Policy: POLICY_Gi1/0/14

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-test_helmer-565423b2

Method status list:
Method State
dot1x Authc Success

nspasov · ‎11-30-2015

So according to the logs your authenticatoin and authorization is succeeding. Can you give me more details on what is not working? Your original comment said that authenticaiton is failing but according to the logs that you posted that is not the case.

Also, post the output from show ip access-list interface g1/0/14 and see if the proper DACL is being applied.

Thank you for rating helpful posts!

Sebastian Helmer · ‎12-02-2015

Thanks to all, I will also rate later...

yesterday I got another hint that fixed that problem.

Due to my pre-ACL on that Port DHCP ist working and ping for test etc. that's not the issue.

it was somthing like DHCP snooping, so my switch does not seet he IPs/Macs configured in the DACL as well as radius commands should be added thats why it was not working after I got authenticated and my IP via DHCP etc. Thats what I understand of that I will check in more details later to really understand that.

after I got the necessary commands it works..

thanks to all of you..

Sebastian

radius-server attribute 6 on-for-login-auth
-radius-server attribute 8 include-in-access-req
-radius-server attribute 25 access-request include
-mac address-table notification change
-mac address-table notification mac-move

ip device tracking probe delay 10

alois.heilmaier · ‎09-17-2016

Hi,

do you need the ```ip device tracking probe delay 10``` also ?

I sometimes discover problems. Then ip device tracking does not show the client IP.

But we can not discover any problems with duplicate ip address detection.

Afaik, the workaround for this problem is the 10 second probe delay.

Best regards

Alois

phosawyer · ‎12-01-2015

Are you on a static address??

You dont have anything to allow DHCP, so when your client device connects they dont have an address.

Christian_Ney · ‎12-01-2015

You're missing either device tracking or DHCP snooping. At least that's not within the config you're showing us.

ISE DACL not working on 2960S