Issues with dACL and Pre Auth ACLs not actually dropping traffic as expected

MichaelAllen02135 · ‎09-12-2019

Hi,

I am currently working on ise 2.6 in a lab setup with an order 3750 switch running with v15.0

It appears I have 802.1x and MAB auth working as expected but having an issue with using dACLs and Pre-Auth ACLs to enforce authorisation and access.

In this scenario, I am simulating an unauthorised endpoint - 192.168.2.104 / 0050.562e.f15c. As I've set it in authentication open mode, I am allowing MAB authentication and trying to lock it down via the use of Pre Auth ACL and a dACL with a deny ip any any.

Furthermore, as I am using VMs, I have a number of VM hosts bridged to the single physical NIC on the VM bare metal sever, and have that physically connected to a single port - 1/0/14. As such, I am using authentication host-mode multi-auth.

Once the endpoint is connected (192.168.2.104), I see the correct dACL being downloaded, and appears to be applied, as per the output below.

I've also enabled ip device tracking to ensure the per user ACL is applied. This also appears to be working.

But even through these ACLs seem to be in place, it doesn't actually seem to be blocking any traffic. I've read through a lot of documentation and can't see where I am going wrong.

If I apply a normal extended ACL to a non 802.1x port - it appears to work as expected.

But on the 802.1x port - I can't seem to get the dACL or any ACL to actually block anything.

Below are some config details, with output relating to the host in red

core-01#show run interface gigabitEthernet 1/0/14
Building configuration...

Current configuration : 628 bytes
!
interface GigabitEthernet1/0/14
description ** ISE LAB **
switchport access vlan 2
switchport mode access
ip device tracking maximum 10
ip access-group TEST in
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x pae supplicant
spanning-tree portfast
end

core-01#show authentication sessions

Interface MAC Address Method Domain Status Session ID
Gi1/0/14 ac87.a30b.2d8c mab DATA Authz Success C0A8010100000BFE258C1A69
Gi1/0/14 0050.562e.f15c mab DATA Authz Success C0A8010100000BFF258C1EDE
Gi1/0/14 000c.2922.14a4 mab DATA Authz Success C0A8010100000C00258C1EDE

core-01#show authentication sessions int gigabitEthernet 1/0/14
Interface: GigabitEthernet1/0/14
MAC Address: ac87.a30b.2d8c
IP Address: 192.168.2.6
User-Name: AC-87-A3-0B-2D-8C
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-LABBY_WHITELIST-5d70ae7b
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8010100000BFE258C1A69
Acct Session ID: 0x00000CD0
Handle: 0x28000BFF

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 0050.562e.f15c
IP Address: 192.168.2.104
User-Name: 00-50-56-2E-F1-5C
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-DENY_ALL_IPV4_TRAFFIC-57f6b0d3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8010100000BFF258C1EDE

Acct Session ID: 0x00000CD1
Handle: 0x34000C00

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 000c.2922.14a4
IP Address: 192.168.2.254
User-Name: 00-0C-29-22-14-A4
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-LABBY_WHITELIST-5d70ae7b
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8010100000C00258C1EDE
Acct Session ID: 0x00000CD2
Handle: 0xF3000C01

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

core-01#show access-list
Extended IP access list Auth-Default-ACL-OPEN
10 permit ip any any
Extended IP access list IPV4_PRE_AUTH_ACL
10 permit udp any eq bootpc any eq bootps (6 matches)
20 permit udp any any eq domain
30 permit ip host 192.168.2.6 any (46 matches)
40 deny ip any any
Extended IP access list TEST
10 deny ip any any log (149611 matches)
Extended IP access list xACSACLx-IP-DENY_ALL_IPV4_TRAFFIC-57f6b0d3 (per-user)
10 deny ip any any
Extended IP access list xACSACLx-IP-LABBY_WHITELIST-5d70ae7b (per-user)
10 permit ip any any

core-01#show ip access-lists interface gigabitEthernet 1/0/14
permit ip host 192.168.2.254 any (3 matches)
deny ip host 192.168.2.104 any (1 match)
permit ip host 192.168.2.6 any

core-01#show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 10
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
192.168.2.104 0050.562e.f15c 2 GigabitEthernet1/0/14 ACTIVE
192.168.2.6 ac87.a30b.2d8c 2 GigabitEthernet1/0/14 ACTIVE
192.168.2.254 000c.2922.14a4 2 GigabitEthernet1/0/14 ACTIVE

Total number interfaces enabled: 1
Enabled interfaces:
Gi1/0/14
core-01#

But when I am on the host, nothing is being blocked. Below is showing ping but I can access all services - http etc.

When I log the ACL and do terminal mon - I can see some denies being listed - but only traffic to 192.168.1.104 - but nothing from this host. And more so, even through it is saying it's being denied - it isn't actually. Pings for instance work fine and get the response regardless of the logs.

C:\Users\bob>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . : labby.local
Link-local IPv6 Address . . . . . : fe80::6943:828e:66d7:a133%7
IPv4 Address. . . . . . . . . . . : 192.168.2.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.254

C:\Users\bob>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time=1ms TTL=127
Reply from 192.168.1.2: bytes=32 time<1ms TTL=127
Reply from 192.168.1.2: bytes=32 time<1ms TTL=127
Reply from 192.168.1.2: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Users\bob>

I am really scratching my head to why this doesn't appear to be working.

Any help ?

Mike.Cifelli · ‎09-13-2019

A quick glance tells me that everything is looking good. My recommendation is to take off 'authentication open' and run your test again :)

MichaelAllen02135 · ‎09-13-2019

Thanks for your help.

I tried as you suggested - but funny enough, it seems to have made things worse.

I remove authentication open.

It still authenticates with MAB as expected, and it looks like it has downloaded the dACL.

However, ip device tracking is not longer working and thus the ACL is not being added fully as a per user ACL.

Furthermore, I can still access everything as before. Even with the port extended ACL in place.

I am just stumped on this!!!

core-01(config)#int gigabitEthernet 1/0/14
core-01(config-if)#no authentication open

core-01#sh run int giga 1/0/14

Building configuration...

Current configuration : 620 bytes

!

interface GigabitEthernet1/0/14

description ** ISE LAB **

switchport access vlan 2

switchport mode access

ip device tracking maximum 10

ip access-group IPV4_PRE_AUTH_ACL in

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x pae supplicant

spanning-tree portfast

end

core-01(config-if)#shut

core-01(config-if)#no shut

core-01#show authentication sessions

Interface MAC Address Method Domain Status Session ID

Gi1/0/14 ac87.a30b.2d8c mab DATA Authz Success C0A8010100000C73288CE408

Gi1/0/14 0050.562e.f15c mab DATA Authz Success C0A8010100000C74288F8904

core-01#show authentication sessions interface gigabitEthernet 1/0/14

Interface: GigabitEthernet1/0/14

MAC Address: ac87.a30b.2d8c

IP Address: 192.168.2.6

User-Name: AC-87-A3-0B-2D-8C

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

ACS ACL: xACSACLx-IP-LABBY_WHITELIST-5d70ae7b

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A8010100000C73288CE408

Acct Session ID: 0x00000D48

Handle: 0x04000C74

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

----------------------------------------

Interface: GigabitEthernet1/0/14

MAC Address: 0050.562e.f15c

IP Address: Unknown

User-Name: 00-50-56-2E-F1-5C

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

ACS ACL: xACSACLx-IP-DENY_ALL_IPV4_TRAFFIC-57f6b0d3

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A8010100000C74288F8904

Acct Session ID: 0x00000D49

Handle: 0x74000C75

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

core-01#show ip access-lists

Extended IP access list Auth-Default-ACL-OPEN

10 permit ip any any

Extended IP access list IPV4_PRE_AUTH_ACL

10 permit udp any eq bootpc any eq bootps (6 matches)

20 permit udp any any eq domain

30 permit ip host 192.168.2.6 any (46 matches)

40 deny ip any any (2 matches)

Extended IP access list TEST

10 deny ip any any log (177917 matches)

Extended IP access list xACSACLx-IP-DENY_ALL_IPV4_TRAFFIC-57f6b0d3 (per-user)

10 deny ip any any

Extended IP access list xACSACLx-IP-LABBY_WHITELIST-5d70ae7b (per-user)

10 permit ip any any

core-01#show ip access-lists interface gigabitEthernet 1/0/14 . <-- shows nothing now

core-01#show ip device tracking all . <-- not trackign any IPs now

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IP Device Tracking Probe Delay Interval = 10

-----------------------------------------------------------------------

IP Address MAC Address Vlan Interface STATE

-----------------------------------------------------------------------

Total number interfaces enabled: 1

Enabled interfaces:

Gi1/0/14

Mike.Cifelli · ‎09-13-2019

Do you have device-tracking tracking enabled globally? Something else to note for VMs : enable #authentication mac-move permit if you do any vMotion. Obv not since you are testing, but just wanted to note that. Does sh run all | i vsa return: radius-server vsa send authentication. Try running some radius debugs and share the output. Lastly, you could mirror configs to an interface with one host connected to determine if there is a different outcome & troubleshoot from there.

Jason Kunst · ‎09-13-2019

Please also check our secure wired guide
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Colby LeMaire · ‎09-13-2019

Specifically what model of 3750 and what version of IOS? Just want to make sure it is covered by the compatibility matrix. I have seen similar issues but never on the 3000-series switches. Usually on the 4500 or 6500 chassis where the "show ip access-list int gx/y" shows the ACL there but in the TCAM, the entries were not put in the right order. I forgot the exact command to see how the TCAM is programmed but it is something along the lines of "show platform hardware tcam…..". You may have to do some work to decode it but it shows exactly what is applied on the port. And that issue I mentioned was very intermittent and dependent on the port too. So it would be fine on one port but not work on another. Try moving to another port on the switch to rule that out. And I know you said you have one physical NIC but just want to make sure you don't have another NIC plugged in and doing load-balancing within vSphere. Other than that, try doing some debugs for ip packet detail or EPM. Another possibility is to try removing the pre-auth ACL and try that way. With newer code, the switch will apply a default pre-auth ACL to the port. The ACL is different whether in monitor mode or enforcement mode.