09-28-2017 05:30 AM
Situation: On a catalyst 3850, we configured a switchport for Open access with a pre-authentication ACL. After succesful dot1x authentication we authorize the user with a RADIUS_ACCEPT and we push a dACL from ISE that is supposed to override the pre-auth ACL. This dACL has a single "permit ip any any" entry that would open the switchport completely.
We noticed that although the dACL is received by the switch, it is not applied on the switchport and the pre-auth ACL remains active. So the enduser is authorized but cannot connect to anything.
We used open access mode to ensure that the client is able to contact the domain controllers to allow for GPO updates.
Thanks in advance
Solved! Go to Solution.
09-28-2017 05:55 AM
While I usually use open mode with no preauth ACL the DACL should still work. Are you sure you are learning the IP address of the device? The switch cannot apply a DACL until the IP of the device is learned. Do you see the IP of the device in the "show auth session" details for the port?
09-28-2017 05:55 AM
While I usually use open mode with no preauth ACL the DACL should still work. Are you sure you are learning the IP address of the device? The switch cannot apply a DACL until the IP of the device is learned. Do you see the IP of the device in the "show auth session" details for the port?
09-28-2017 06:53 AM
Thanks Paul for the quick response.
I just discovered that I forgot to apply the wrong authZ profile, the one without the permit all ACL of course.
09-28-2017 07:33 AM
Tim,
Just remember when you are using preauth ACLs and you want things to fail open if ISE is unavailable you have to figure out a way to remove the preauth ACL when ISE is down. This is why I usually don’t use a preauth ACL. As long as the customer is okay with the statement “An unknown device will have 20-30 second of open network access before ISE slams the door shut” then no preauth ACL is required. The 20-30 seconds is the dot1x timeout.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-28-2017 11:09 PM
Indeed, that's a valid point. However, in my case I'm also offering wired guest access so MAB process would take over once dot1x timers have timed out.
A very big thank from my side though! The issue was incredibly stupid and I don't understand how I've missed this but it is nice to see the help that you offered. I marked your answer a very helpful and gave it a 5-star. Top class!
best Regards,
Tim
09-29-2017 04:49 AM
Tim,
Offering wired guest doesn’t mean you need to have a PreAuth ACL. PreAuth ACL is only required if the customer can’t live with 20-30 seconds of network access before MAB kicks in. If you have a guest wired scenario you can simply apply a DACL to limit access to what you want the guests to have access to.
In my installs if the customer can’t live with 20-30 seconds of network access before MAB kicks in we move to closed mode vs. PreAuth ACL. Closed mode has fail open commands built in whereas PreAuth ACL does not.
Thanks for the feedback.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide