cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1153
Views
3
Helpful
5
Replies
Tim Verscheure
Beginner

Switchport configured for Open access with pre-auth ACL cannot apply dACL

Situation: On a catalyst 3850, we configured a switchport for Open access with a pre-authentication ACL. After succesful dot1x authentication we authorize the user with a RADIUS_ACCEPT and we push a dACL from ISE that is supposed to override the pre-auth ACL. This dACL has a single "permit ip any any" entry that would open the switchport completely.

We noticed that although the dACL is received by the switch, it is not applied on the switchport and the pre-auth ACL remains active. So the enduser is authorized but cannot connect to anything.

We used open access mode to ensure that the client is able to contact the domain controllers to allow for GPO updates.

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate

While I usually use open mode with no preauth ACL the DACL should still work.  Are you sure you are learning the IP address of the device?  The switch cannot apply a DACL until the IP of the device is learned.  Do you see the IP of the device in the "show auth session" details for the port?

View solution in original post

5 REPLIES 5
paul
Advocate

While I usually use open mode with no preauth ACL the DACL should still work.  Are you sure you are learning the IP address of the device?  The switch cannot apply a DACL until the IP of the device is learned.  Do you see the IP of the device in the "show auth session" details for the port?

Thanks Paul for the quick response.

I just discovered that I forgot to apply the wrong authZ profile, the one without the permit all ACL of course.

Tim,

Just remember when you are using preauth ACLs and you want things to fail open if ISE is unavailable you have to figure out a way to remove the preauth ACL when ISE is down. This is why I usually don’t use a preauth ACL. As long as the customer is okay with the statement “An unknown device will have 20-30 second of open network access before ISE slams the door shut” then no preauth ACL is required. The 20-30 seconds is the dot1x timeout.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Tim Verscheure
Beginner

Indeed, that's a valid point. However, in my case I'm also offering wired guest access so MAB process would take over once dot1x timers have timed out.

A very big thank from my side though! The issue was incredibly stupid and I don't understand how I've missed this but it is nice to see the help that you offered. I marked your answer a very helpful and gave it a 5-star. Top class!

best Regards,
Tim

Tim,

Offering wired guest doesn’t mean you need to have a PreAuth ACL. PreAuth ACL is only required if the customer can’t live with 20-30 seconds of network access before MAB kicks in. If you have a guest wired scenario you can simply apply a DACL to limit access to what you want the guests to have access to.

In my installs if the customer can’t live with 20-30 seconds of network access before MAB kicks in we move to closed mode vs. PreAuth ACL. Closed mode has fail open commands built in whereas PreAuth ACL does not.

Thanks for the feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube