Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
3
Helpful
5
Replies

Switchport configured for Open access with pre-auth ACL cannot apply dACL

Go to solution
Tim Verscheure
Level 1
Level 1

‎09-28-2017 05:30 AM

Situation: On a catalyst 3850, we configured a switchport for Open access with a pre-authentication ACL. After succesful dot1x authentication we authorize the user with a RADIUS_ACCEPT and we push a dACL from ISE that is supposed to override the pre-auth ACL. This dACL has a single "permit ip any any" entry that would open the switchport completely.

We noticed that although the dACL is received by the switch, it is not applied on the switchport and the pre-auth ACL remains active. So the enduser is authorized but cannot connect to anything.

We used open access mode to ensure that the client is able to contact the domain controllers to allow for GPO updates.

Thanks in advance

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎09-28-2017 05:55 AM

While I usually use open mode with no preauth ACL the DACL should still work.  Are you sure you are learning the IP address of the device?  The switch cannot apply a DACL until the IP of the device is learned.  Do you see the IP of the device in the "show auth session" details for the port?

View solution in original post

5 Replies 5

Go to solution
paul
Level 10
Level 10

‎09-28-2017 05:55 AM

While I usually use open mode with no preauth ACL the DACL should still work.  Are you sure you are learning the IP address of the device?  The switch cannot apply a DACL until the IP of the device is learned.  Do you see the IP of the device in the "show auth session" details for the port?

Go to solution
Tim Verscheure
Level 1
Level 1
In response to paul

‎09-28-2017 06:53 AM

Thanks Paul for the quick response.

I just discovered that I forgot to apply the wrong authZ profile, the one without the permit all ACL of course.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tim Verscheure

‎09-28-2017 07:33 AM

Tim,

Just remember when you are using preauth ACLs and you want things to fail open if ISE is unavailable you have to figure out a way to remove the preauth ACL when ISE is down. This is why I usually don’t use a preauth ACL. As long as the customer is okay with the statement “An unknown device will have 20-30 second of open network access before ISE slams the door shut” then no preauth ACL is required. The 20-30 seconds is the dot1x timeout.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Go to solution
Tim Verscheure
Level 1
Level 1

‎09-28-2017 11:09 PM

Indeed, that's a valid point. However, in my case I'm also offering wired guest access so MAB process would take over once dot1x timers have timed out.

A very big thank from my side though! The issue was incredibly stupid and I don't understand how I've missed this but it is nice to see the help that you offered. I marked your answer a very helpful and gave it a 5-star. Top class!

best Regards,
Tim

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tim Verscheure

‎09-29-2017 04:49 AM

Tim,

Offering wired guest doesn’t mean you need to have a PreAuth ACL. PreAuth ACL is only required if the customer can’t live with 20-30 seconds of network access before MAB kicks in. If you have a guest wired scenario you can simply apply a DACL to limit access to what you want the guests to have access to.

In my installs if the customer can’t live with 20-30 seconds of network access before MAB kicks in we move to closed mode vs. PreAuth ACL. Closed mode has fail open commands built in whereas PreAuth ACL does not.

Thanks for the feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents