Solved: Re: Switch No Longer Honors DACL - Page 2

ryanbess · ‎08-30-2024

HI all,

I have a cisco switch that no longer gets DACL's from ISE. I've tested radius connectivity and all is fine. When doing a pcap off the PSN i see the name of the DACL called "BLAH" (makes it easy to search for in PCAPS) but i never see the PSN sending the appropriate AV pairs. I've tried removing the switch from ISE and adding it back. The device profile is set to Cisco. Been following https://community.cisco.com/t5/security-blogs/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/ba-p/4461339 to help me understand more but I'm at a loss to what config in ISE is wrong.

Any help is appreciated.

ryanbess · ‎08-31-2024

you the man! that fixed it.

I guess i now need to make a list for cts authorization list CTSLIST...not sure how the switch would know what ips are in this list (still learning)

ryanbess · ‎08-31-2024

Rob, what am i missing. In the link https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html

it says to do as i previously had. .

Usage Guidelines

This command is only for the seed device. Non-seed devices obtain the TrustSec AAA server list from their TrustSec authenticator peer as a component of their TrustSec environment data.

Examples

The following example displays an AAA configuration of a TrustSec seed device:

Switch# cts credentials id Switch1 password Cisco123 Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# aaa authorization network MLIST group radius Switch(config)# cts authorization list MLIST Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234 Switch(config)# radius-server vsa send authentication Switch(config)# dot1x system-auth-control Switch(config)# exit

Rob Ingram · ‎08-31-2024

@ryanbess can you confirm what is the problem in regard to the trustsec specific configuration? Or is this still a problem with DACLs?

ryanbess · ‎08-31-2024

When i put it back to aaa authorization network default group ise-group, now CTS stuff doesn't work. For example i can't download new environmental data.

Rob Ingram · ‎08-31-2024

@ryanbess you need both method lists, the CTSMLIST must be then referenced with the cts authorization list CTSMLIST command. If you still have a problem, provide your updated configuration.

FYI, it's not recommended nor necessary to use DACLs if you are using TrustSec SGT at the sametime..

ryanbess · ‎08-31-2024

That one sentence may have just helped me understand so much. So i need this? Do i need the same for the authentication and dot1x stuff?

aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network CTSLIST group ise-group
aaa authorization auth-proxy default group ise-group

MHM Cisco World · ‎08-31-2024

check Mr Rob suggestion
I think he is correct
thanks

MHM

Rob Ingram · ‎08-31-2024

@ryanbess Yes. You create two authorisation lists one using the default method list and a custom method list (use for PAC file and environment data download) and reference that method list for cts authorisation.

You can download environment data using other methods on newer IOS-XE versions (but I think you have an old 3560 which only supports the method above).

You don't need to use to convert to IBNS 2.0 or a custom method list for the 802.1X authorisation.

ryanbess · ‎08-31-2024

Thank you guys. I now see the AV pairs

MHM Cisco World · ‎08-31-2024

Just to clarify, there was no AVP26 in first Wireshark?

Thanks

MHM

ryanbess · ‎08-31-2024

There was just not for ciscoSystems. It had Microsoft(311)