08-30-2024 10:43 AM
HI all,
I have a cisco switch that no longer gets DACL's from ISE. I've tested radius connectivity and all is fine. When doing a pcap off the PSN i see the name of the DACL called "BLAH" (makes it easy to search for in PCAPS) but i never see the PSN sending the appropriate AV pairs. I've tried removing the switch from ISE and adding it back. The device profile is set to Cisco. Been following https://community.cisco.com/t5/security-blogs/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/ba-p/4461339 to help me understand more but I'm at a loss to what config in ISE is wrong.
Any help is appreciated.
Solved! Go to Solution.
08-31-2024 07:45 AM
@ryanbess the switch is not requesting to download the DACL from ISE because authorisation configuration is missing for the default method list (same method list you use for dot1x authentication). Your authorisation method list "CTSLIST" is related to trustsec.
Configure authorisation for the default method list:-
aaa authorization network default group ise-group
08-30-2024 10:51 AM
Hi friend
Can I see
Show authentication session interface x/x detail
Show ip access-list
Share both
Also what is SW platform you have ?
MHM
08-30-2024 11:07 AM
Here you go and thanks. This used to work so trying to learn what i broke.
physical#
physical#show version
Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 09:53 by prod_rel_team
physical#show auth ses int gi0/4 det
Interface: GigabitEthernet0/4
MAC Address: 5000.0004.0000
IPv6 Address: Unknown
IPv4 Address: 172.16.253.10
User-Name: host/Sub-Win11-01.sub.lab.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 181s
Common Session ID: AC10FD030000003301376F54
Acct Session ID: 0x00000028
Handle: 0x93000017
Current Policy: POLICY_Gi0/4
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
dot1x Authc Success
physical#sho ip access-lists
Extended IP access list ACL-ALLOW
10 permit ip any any
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain
20 permit tcp any any eq www
30 permit tcp any any eq 443
Extended IP access list POSTURE-REDIRECT
10 deny udp any any eq domain bootps
20 permit tcp any any eq www
Extended IP access list POSTURE-REDIRECT-ACL
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny tcp any host 172.16.255.102
50 deny tcp any host 172.16.255.104
60 permit tcp any any eq www
Extended IP access list POSTURE-REDIRECTION-ACL
10 permit ip any any
Role-based IP access list Permit IP-00 (downloaded)
10 permit ip
Role-based IP access list Permit_IP_Log-00 (downloaded)
10 permit ip log (4 matches)
Extended IP access list RYAN
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny tcp any host 172.16.255.102 eq 8443
50 deny tcp any host 172.16.255.104 eq 8443
60 permit tcp any any eq www
70 deny tcp any any eq 445
80 deny udp any host 172.16.255.102 eq 8443
90 deny udp any host 172.16.255.104 eq 8443
100 permit ip any any
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
08-30-2024 11:12 AM
The port is authz' did yoh config any pre-auth acl?
MHM
08-30-2024 11:13 AM
no preauth ACL
08-30-2024 11:39 AM
The davl is send by ISE as attribute.
Did you config aaa authz network....?
MHM
08-30-2024 12:35 PM
yes and in ISE we see the DACL being mentioned. I realize its not the same session but we can see it. What i'm learning is i NEVER see the switch asking for the configs of the DACL...as to why, got me.
08-30-2024 02:25 PM - edited 08-30-2024 02:30 PM
The SW not send ask for dacl in separate packet
The dacl is send from ISE to SW with access-accept (see type in wireshark ypu share)
Now SW receive dacl but not use it.
Change host mode from multi-auth into single-host
MHM
08-31-2024 03:19 AM
Morning. I have another port on same switch that is in single-host....same behavior.
physical#show auth ses int gi0/3 det
Interface: GigabitEthernet0/3
MAC Address: 5000.0008.0000
IPv6 Address: Unknown
IPv4 Address: 172.16.253.5
User-Name: host/Sub-Win11P-01.sub.lab.com
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 246s
Common Session ID: AC10FD030000000E0001531B
Acct Session ID: 0x00000005
Handle: 0x26000001
Current Policy: POLICY_Gi0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
dot1x Authc Success
08-31-2024 05:15 AM
In wireshark AVP (26) is missing
Are you sure you add ACL in
Downloadable ACL list <<- in ISE?
MHM
08-31-2024 06:44 AM
yup its in there...it's the oddest thing.
08-31-2024 07:00 AM - edited 08-31-2024 07:01 AM
In pcaps (wiresharke) do you see avp 26 and when you open it (avp 26) you see permit/deny lines?
MHM
08-31-2024 07:17 AM
Nope i don't. I've searched for them as well. Here's the switch config.
physical#show running-config
Building configuration...
Current configuration : 6353 bytes
!
! Last configuration change at 14:54:38 UTC Fri Aug 30 2024 by ryan
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname physical
!
boot-start-marker
boot-end-marker
!
logging buffered 512000
enable password password
!
username ryan privilege 15 password 0 password
aaa new-model
!
!
aaa group server radius ise-group
server name ise-102
server name ise-104
ip radius source-interface Vlan1
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network CTSLIST group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.255.104 server-key Iseradius
client 172.16.255.102 server-key Iseradius
!
aaa session-id common
system mtu routing 1500
!
!
!
!
!
!
no ip domain-lookup
ip domain-name sub.lab.com
ip name-server 172.16.255.240
ip device tracking probe auto-source
!
!
!
!
!
!
!
cts server test all idle-time 1
cts server test all deadtime 5
cts authorization list CTSLIST
cts role-based enforcement
cts role-based enforcement vlan-list 1-4094
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
description Win11-1
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description Win11-2
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
switchport mode access
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface Vlan1
ip address 172.16.253.3 255.255.255.0
!
ip default-gateway 172.16.253.1
ip forward-protocol nd
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip route 0.0.0.0 0.0.0.0 172.16.253.1
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domai
remark Ping
permit icmp any any
remark PXE / tftp
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
remark Drop all the rest
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly deny DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect all applicable traffic to the ISE server
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended POSTURE-REDIRECT
deny udp any any eq domain bootps
permit tcp any any eq www
ip access-list extended POSTURE-REDIRECT-ACL
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102
deny tcp any host 172.16.255.104
permit tcp any any eq www
ip access-list extended POSTURE-REDIRECTION-ACL
permit ip any any
ip access-list extended RYAN
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny tcp any host 172.16.255.102 eq 8443
deny tcp any host 172.16.255.104 eq 8443
permit tcp any any eq www
deny tcp any any eq 445
deny udp any host 172.16.255.102 eq 8443
deny udp any host 172.16.255.104 eq 8443
permit ip any any
!
!
ip radius source-interface Vlan1
!
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 3
!
radius server ise-104
address ipv4 172.16.255.104 auth-port 1812 acct-port 1813
pac key Iseradius
!
radius server ise-102
address ipv4 172.16.255.102 auth-port 1812 acct-port 1813
pac key Iseradius
!
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 240 0
transport input ssh
line vty 5 15
!
!
end
08-31-2024 07:31 AM
So the ISE send only name without AVP 26 (permit/deny line)
I guess issue in ISE then'
Make new ACL called it permit and add only one line permit ip any any lastly use ACL permit in authz policy (this step must be after you add new ACL not before it)
And then checking again
08-31-2024 07:45 AM
@ryanbess the switch is not requesting to download the DACL from ISE because authorisation configuration is missing for the default method list (same method list you use for dot1x authentication). Your authorisation method list "CTSLIST" is related to trustsec.
Configure authorisation for the default method list:-
aaa authorization network default group ise-group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide