cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3444
Views
6
Helpful
25
Replies

Switch No Longer Honors DACL

ryanbess
Level 1
Level 1

HI all,

I have a cisco switch that no longer gets DACL's from ISE.  I've tested radius connectivity and all is fine.  When doing a pcap off the PSN i see the name of the DACL called "BLAH" (makes it easy to search for in PCAPS) but i never see the PSN sending the appropriate AV pairs.  I've tried removing the switch from ISE and adding it back.  The device profile is set to Cisco.  Been following https://community.cisco.com/t5/security-blogs/how-the-downloadable-acl-is-pushed-by-cisco-ise-to-the-switch/ba-p/4461339 to help me understand more but I'm at a loss to what config in ISE is wrong.  

Any help is appreciated.  

 

ryanbess_0-1725039601479.png

 

25 Replies 25

you the man!  that fixed it.  

I guess i now need to make a list for cts authorization list CTSLIST...not sure how the switch would know what ips are in this list (still learning)

Rob, what am i missing.  In the link https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/command_sum.html

it says to do as i previously had.  .  

 

Usage Guidelines

This command is only for the seed device. Non-seed devices obtain the TrustSec AAA server list from their TrustSec authenticator peer as a component of their TrustSec environment data.

 

Examples

The following example displays an AAA configuration of a TrustSec seed device:

Switch# cts credentials id Switch1 password Cisco123 Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# aaa authorization network MLIST group radius Switch(config)# cts authorization list MLIST Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234 Switch(config)# radius-server vsa send authentication Switch(config)# dot1x system-auth-control Switch(config)# exit

@ryanbess can you confirm what is the problem in regard to the trustsec specific configuration? Or is this still a problem with DACLs?

 

When i put it back to aaa authorization network default group ise-group, now CTS stuff doesn't work.  For example i can't download new environmental data. 

@ryanbess you need both method lists, the CTSMLIST must be then referenced with the cts authorization list CTSMLIST command. If you still have a problem, provide your updated configuration.

FYI, it's not recommended nor necessary to use DACLs if you are using TrustSec SGT at the sametime..

That one sentence may have just helped me understand so much.  So i need this? Do i need the same for the authentication and dot1x stuff?  

aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network CTSLIST group ise-group
aaa authorization auth-proxy default group ise-group

check Mr Rob suggestion 
I think he is correct 
thanks 

MHM

@ryanbess Yes. You create two authorisation lists one using the default method list and a custom method list (use for PAC file and environment data download) and reference that method list for cts authorisation.

1.png

You can download environment data using other methods on newer IOS-XE versions (but I think you have an old 3560 which only supports the method above).

You don't need to use to convert to IBNS 2.0 or a custom method list for the 802.1X authorisation.

 

Thank you guys.  I now see the AV pairs

 

ryanbess_0-1725137323155.png

 

Just to clarify, there was no AVP26 in first Wireshark?

Thanks

MHM

There was just not for ciscoSystems.  It had Microsoft(311)