Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2725
Views
0
Helpful
8
Replies

ISE pre-auth access-list

Go to solution
jack samuel
Level 1
Level 1

‎03-03-2016 12:12 PM - edited ‎03-10-2019 11:32 PM

Dears,

I have created a pre-auth access-list for cisco ise 1.4, as per the Switch Configuration Required to Support Cisco ISE Functions 2.0, Cisco IP phone is being properly profiled and it Downloads proper access-list i.e permit ip any any , but when I make a call to pstn  I hear a one way audio, when I see the switch logs it show me that the RTP has been blocked by default access-list, I have one question that when my DACL is downloaded properly then why the default ACL is interrupting the RTP, also I see the port number 2000 &  2443 is been blocked by default access-list by which phone losses its connection to server,, which are used for keepalive to the CUCM.

Anything I am missing???

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to jack samuel

‎03-08-2016 01:09 PM

What's not the same?

Try using "details" after the command

View solution in original post

0 Helpful
8 Replies 8

Go to solution
jan.nielsen
Level 7
Level 7

‎03-04-2016 08:54 AM

Sounds like the dacl is not actually getting applied on the switch port, try posting output of "show auth session int x/x" and "show ip access-list int x/x" when the phone is on, and doesn't work

0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to jan.nielsen

‎03-04-2016 11:29 AM

Dear Jan,

here is the output I can see the DACL downloaded but the access-list on the interface is not seen

sh authentication sessions int gig5/3
            Interface:  GigabitEthernet5/3
          MAC Address:  1c1d.862f.2485
           IP Address:  10.108.48.13
            User-Name:  1C-1D-86-2F-24-85
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-IP-PHONE-TO-CUCM-GATEWAY-56d830e3
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AD02F3300005BB7DBA6FB44
      Acct Session ID:  0x00005CA4
               Handle:  0x7B000C14

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

ASW01#sh ip access-list  interface gig5/3

Thanks

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to jack samuel

‎03-04-2016 02:22 PM

Ok, so try to check the output of "show ip device tracking int x/x", and also show us the contents of the DACL you are using in ISE. Did you validate syntax of the DACL in ISE ?
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to jan.nielsen

‎03-04-2016 09:50 PM

Dear jan,

please find the attached snapshot showing the DACL is valid but as per the below output I can see only the PC and not the Phone on the port ??? I have noticed one thing as soon as the phone registers I am dialing the pstn user the RTP packets flows perfect but after few seconds the pstn user is not able to hear me then when I apply the RTP access-list element ( permit udp any host 10.208.14.1 range 16384 32767) in the default access-list then it works. but the question is why we need to edit the default access-list when things are permitted from ISE.

sh ip device tracking int gig5/3
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
---------------------------------------------------------------------
  IP Address     MAC Address   Vlan  Interface              STATE
---------------------------------------------------------------------
10.208.36.11    c8cb.b80f.3f92  36   GigabitEthernet5/3     INACTIVE

Total number interfaces enabled: 21
Enabled interfaces:
  Gi2/1, Gi2/2, Gi2/3, Gi2/4, Gi2/5, Gi2/6, Gi2/7,
  Gi2/8, Gi2/9, Gi2/10, Gi2/11, Gi2/13, Gi2/15, Gi2/48,
  Gi3/5, Gi3/22, Gi3/24, Gi5/3, Gi6/20, Gi6/22, Gi6/42

Access-list contents

permit udp any host 10.208.5.1 eq 69
permit udp any host 10.208.5.2 eq 69
permit udp any host 10.208.5.1 eq 6969
permit udp any host 10.208.5.2 eq 6969
permit tcp any host 10.208.5.1 eq 8443
permit tcp any host 10.208.5.2 eq 8443
permit tcp any host 10.208.5.1 eq 8080
permit tcp any host 10.208.5.2 eq 8080
permit tcp any host 10.208.5.1 eq 2000
permit tcp any host 10.208.5.2 eq 2000
permit tcp any host 10.208.5.1 eq 2443
permit tcp any host 10.208.5.2 eq 2443
permit tcp any host 10.208.5.1 eq 2445
permit tcp any host 10.208.5.2 eq 2445
permit tcp any host 10.208.5.1 eq 3804
permit tcp any host 10.208.5.2 eq 3804
permit tcp any host 10.208.5.1 eq 5060
permit tcp any host 10.208.5.2 eq 5060
permit udp any host 10.208.5.1 eq 5060
permit udp any host 10.208.5.2 eq 5060
permit tcp any host 10.208.5.1 eq 5061
permit tcp any host 10.208.5.2 eq 5061
permit tcp any host 10.208.5.1 eq 6970
permit tcp any host 10.208.5.2 eq 6970
permit udp any host 10.208.5.1 range 16384 32767
permit udp any host 10.208.5.2 range 16384 32767
permit udp any host 10.208.14.1 range 16384 32767
permit udp any host 10.208.5.1 eq 123
permit udp any host 10.208.5.2 eq 123

permit tcp any host 10.208.14.1 eq 5060
permit udp any host 10.208.14.1 eq 5060

permit tcp any host 10.208.14.1 eq 5061
permit udp any host 10.208.14.1 eq 5061

deny ip any any

Preview file
41 KB
0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to jack samuel

‎03-05-2016 03:43 AM

This is the issue, it should be in there, also the pc is behind the phone yes ? Both should be in there with state active, if they are not DACLS are not applied to the port, as the switch has no knowledge of what ip address is on the port.

Try debugging on device tracking to see if this is the case. Also there are a few options when configuring device tracking you might try.

"ip device tracking probe delay 5" and "ip device tracking use-svi", if you are running a very new switch software, you might also have other newer options.

0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to jan.nielsen

‎03-08-2016 10:47 AM

Dear Jan

Thanks for the reply, i uploaded the cisco recommended  IOS and the issue was solved.Now i can see both phone as well as PC.

But before when i use to excute the command sh authentication sessions int gig 5/3 it was appearing as below but not with the latest code 3.6.3 it is not appearing as before.

sh authentication sessions int gig5/3
            Interface:  GigabitEthernet5/3
          MAC Address:  1c1d.862f.2485
           IP Address:  10.108.49.13
            User-Name:  1C-1D-86-2F-24-85
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-IP-PHONE-TO-CUCM-GATEWAY-56d830e3
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AD02F3300005BB7DBA6FB44
      Acct Session ID:  0x00005CA4
               Handle:  0x7B000C14

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to jack samuel

‎03-08-2016 01:09 PM

What's not the same?

Try using "details" after the command

0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to jan.nielsen

‎03-10-2016 12:09 PM

+5 for you thank for replying .

Regards

Jack

0 Helpful
Customers Also Viewed These Support Documents