Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3101
Views
0
Helpful
2
Replies

What is the OPEN DIR ACL in auth result on switch?

tommy182
Level 1
Level 1

‎08-14-2019 09:05 AM

Hello Friends!

 

Please help me to understand switch behavior, sometimes I see in the auth session result an ACL policy called OPEN DIR ACL

It looks like this 

SW_1#sh authentication sessions interface gigabitEthernet 1/1 de
         Interface:  GigabitEthernet1/1
         MAC Address:  aaaa.bbbb.cccc
         IPv6 Address:  Unknown
         IPv4 Address:  1.1.1.1
         User-Name:  aaaabbbbcccc
         Status:  Authorized
         Domain:  DATA
         Oper host mode:  multi-domain
         Oper control dir:  both
         Session timeout:  N/A
         Restart timeout:  N/A
         Periodic Acct timeout:  36000s (local), Remaining: 35938s
         Session Uptime:  73s
         Common Session ID:  AC132FC5002749CD57B94254
         Acct Session ID:  0x0001672F
         Handle:  0x4C000148
         Current Policy:  POLICY_Gi1/1

Local Policies:
        OPEN DIR ACL:  Open-Dir-ACL
        Service Template: GUEST_VLAN_Gi1/1 (priority 150)
        Vlan Group:  Vlan: 999

Method status list: 
       Method           State 
       dot1x            Stopped
       mab              Stopped

Interface Config
!
interface GigabitEthernet1/1
switchport access vlan 666
switchport mode access
ip access-group ACL-DEFAULT in
authentication event server dead action authorize 
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 999
authentication event server alive action reinitialize 
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast

The port goes to guest-access I think, cause there was 3 EAPOL Req without response from Host.(I captured it)

But what is this ACL applied Open-Dir-ACL??

In fact it`s a regular permit ip any any, but I can`t understand how it works, also it(Open-Dir-ACL) may disappear after some time.

 

Please help me, maybe it`s something easy, but not for me =)

 

Thanks,

Artyom

Labels:
0 Helpful
2 Replies 2

howon
Cisco Employee
Cisco Employee

‎08-15-2019 03:05 PM

It is probably due to open directive:

"To control access for hosts with no authorization policy, you can configure a directive. The supported values for the directive are open and default . When you configure the open directive, all traffic is allowed. The default directive subjects traffic to the access provided by the port. You can configure the directive in the user profile on the AAA server or on the switch. To configure the directive on the AAA server, use the authz-directive =<open/default> global command. To configure the directive on the switch, use the epm access-control open global configuration command."

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-acl-assign.html#GUID-21AEE877-2331-408C-9BBC-47A97AB6A672

 

0 Helpful

tommy182
Level 1
Level 1
In response to howon

‎08-19-2019 02:12 AM

Thanks, it`s really looks like epm access-control open command result.

But it looks strange, we have no authorization policy resieved, because the port have no supplicant for example.

But we have a MAB configured and MAB fails on the port(switch recieved Access-Reject due to the Default rule in the Policy set)

 

Host must have no access(except of pre-Auth acl accepted), but switch apply "permit ip any any". 

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents