05-25-2017 07:10 AM - edited 03-11-2019 12:44 AM
Hello,
I would like to know if you can help me before I open a TAC case. My problem is quite simple, my scenario:
Laptop (no supplicant) --- SW (WS-C3560-CG) --- SW (Internal resources) --- ISE
From the laptop I'm trying to
aaa group server tacacs+ ISE_GROUP
server name ISE
!
aaa group server radius ISE
server name ISE2_Server
server name ISE1_Server
load-balance method least-outstanding batch-size 1
!
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization network default group ISE
aaa authorization network
aaa accounting update periodic 15
aaa accounting identity default start-stop group ISE
!
aaa server radius dynamic-author
client 10.254.17.110 server-key 7 15315A1F07257A767B72
client 10.254.4.86 server-key 7 0822455D0A16
client 10.254.4.89 server-key 7 0822455D0A16
server-key 7 104D000A0618
!
aaa session-id common
clock timezone ET -5 0
clock summer-time ET recurring 1 Sun May 2:00 last Sun Nov 2:00
system
!
device-sensor filter-list
!
device-sensor filter-list
option name
option name domain-name
option number 34
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list
device-sensor filter-spec
device-sensor filter-spec
device-sensor filter-spec
device-sensor notify
!
!
!
memory reserve critical 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
dot1x system-auth-control
service-template
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
service-template CRITICAL
description < Apply when none of the RADIUS servers are reachable >
access-group PERMIT-ANY
spanning-tree mode
spanning-tree extend system-id
!
!
!
!
!
!
!
class-map type control subscriber match-all AAA_SVR_DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB
match method
!
class-map type control subscriber match-all MAB_FAILED
match method
match result-type method
!
!
!
policy-map type control subscriber POLICY_Gi_Global
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!
!
!
interface GigabitEthernet0/5
description < Wired Guest Test >
subscriber aging inactivity-timer 60 probe
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
no
dot1x
dot1x timeout tx-period 10
spanning-tree
service-policy type control subscriber POLICY_Gi_Global
!
interface Vlan1
no
shutdown
!
interface Vlan100
!
!
!
deny
deny
deny
permit
permit
deny
permit
permit
permit
permit
permit
deny
permit
permit
!
!
address ipv4 10.254.4.86
key 7 104D000A0618
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 4
radius-server deadtime 5
!
radius server ISE1_Server
address ipv4 10.254.4.86 auth-port 1812 acct-port 1813
timeout 10
!
radius server ISE2_Server
address ipv4 10.254.4.89 auth-port 1812 acct-port 1813
timeout 10
!
When I connect the client then I can see the access-session going on but I can't see why the ACL is replaced:
WS-C3560CG#show access-session int g0/5
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/5 e411.5b30.8626
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
9 5 dot1x
19 10 mab
17 15
WS-C3560CG#show access-session int g0/5
Interface: GigabitEthernet0/5
MAC Address: e411.5b30.8626
IPv6 Address: Unknown
IPv4 Address: 10.254.36.204
User-Name: E4-11-5B-30-86-26
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session
Restart
Session Uptime: 370s
Common Session ID: 0AFE0B3300000019038D54FD
Handle: 0xEC00000A
Current Policy: POLICY_Gi_Global
Local Policies:
Idle timeout: 60 sec
arp-probe-timeout: yes
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
URL Redirect: https://USNJISE19.svlab.local:8443/portal/gateway?sessionId=0AFE0B3300000019038D54FD&portal=a60e04d0-2230-11e6-99ab-005056bf55e0&action=cwa&type=drw&token=769ce4152866adfa0ad85ecd6eddbf3e
URL Redirect ACL: ACL_REDIRECT
Method status list:
Method State
dot1x Stopped
mab Authc Success
WS-C3560CG#show
Extended IP access list LOW_IMPACT_ACL
10 permit
20 permit
30 permit
40 permit
50 permit
60 deny
WS-C3560CG#
I'm attaching some screenshots from the ISE server. I hope that someone could help me on this issue.
Thanks
05-25-2017 07:49 AM
In your port configuration, you have hardcoded the Low Impact ACL. In this scenario, you need to send a different ACL from ISE if you want it to be replaced. In the ISE Authorization profile add an ACL
Twitter: @berna_tllz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide