Solved: MAB host connected via IP Phone Authorization with DACL

geeyc5113 · ‎02-11-2018

HI, not sure if you all have experience the same and have the solution for me. I am currently facing an issue. There are 3 scenarios. Only the 3rd scenario has problem.

Scenario 1: No problem

Host (dot1x) -----------> Cisco IP Phone (MAB)---------> 3750X Switch

1. IP phone successful authorised with voice domain.

2. Host successful authorised with dedicated DACL assigned from ISE 2.3.

Scenario 2: No problem

Host (MAB) --------------> 3750X Switch

1. IP phone successful authorised with voice domain.

2. Host upon connected to switch, hit the CWA policy. Upon user key in credential, host authenticated and authorised with dedicated DACL and new VLAN assignment. Host able to access to the destination according to the DACL.

Scenario 3: Problem

Host (MAB) ---------------> Cisco IP Phone (MAB) ----------------> 3750X switch

1. IP Phone successful authorised with voice domain.

2. Host upon connected to switch, hit the CWA policy. Upon user key in credential, host authentocated and authorised with dedicated DACL and new VLAN assignment. From the switch show authentication session interface Gix/x/x, I can see the DACL and VLAN assign to the host, host successful obtain the new VLAN with new IP, however host failed to access the destination which allowed in the DACL.

If anyone of you have the solution, please advised. By the way, what is the minimum firmware version for 3750X to support the above deployment?

hslai · ‎02-17-2018

This seems an issue with IOS or switch platform. Please engage Cisco TAC if not already done. Or, move your discussion to the platform support forum Switching

View solution in original post

paul · ‎02-11-2018

How are you getting the host to get the new IP after the CWA policy? Are you sure IP device tracking picked up the IP change so the source IP in the DACL changed correctly?

geeyc5113 · ‎02-11-2018

From the endpoint, the IP automatic change to new IP address that supposed to be. When i show vlan, i can see the port is assigned to correct vlan. And show authentication session interface, the dACL assigned also correct. And i have tested in my dACL to allow few IP only, I can access the allowed IP and not able to access the denied IP.

Everything working fine. But when the host connected via IP Phone, the show vlan, show authentication session interfae and dACL still correct. The endpoint still managed to get correct IP. But somehow the host was unable to reach anywhere.

I am just wondering if deployment only supported single MAB at each port? As in my case, pc host is using MAB, IP phone also MAB causing problem? If PC host is dot1x and connected to ipphone, no issue as well.

Craig Hyps · ‎02-12-2018

Verify client is assigned correct IP and dACL correctly applied via ...

cat3750x#sh ip access-list interface gigabitEthernet x/0/y

paul · ‎02-12-2018

Craig,

That brings up a question. That command doesn’t work on XE switches. I mean the CLI takes it but never shows the ACL. I might have seen it only on switched I am running CPL not sure.

Sent from my iPhone

kthiruve · ‎02-16-2018

You can try sh auth session details interface x/y that will give you details of all the sessions in interface.

If sh auth session does not work, try sh access sessions...

Also make sure the URL-redirect ACL is not applied after authentication is complete.

geeyc5113 · ‎02-19-2018

Hi, you may refer back to my first post. As mentioned, show authentication session showing all are correct.

The problem now is just when the host connected via ip phone, show authentication session still correct. However, i still have no chance to check on ip access list as provided by chyps. I will give the answer once checked.

hslai · ‎02-17-2018

This seems an issue with IOS or switch platform. Please engage Cisco TAC if not already done. Or, move your discussion to the platform support forum Switching