Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4670
Views
0
Helpful
2
Replies

ISE: dACL to switch

Philip Vilhelmsson
Level 1
Level 1

‎07-02-2013 01:15 AM - edited ‎03-10-2019 08:36 PM

Hi,

I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.

In the switch we have used the following static ACL:

ip access-list extended TEST

 10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000

It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.

I added it to ISE like this:

permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000

But that doesn't work. However, when I change the source to any then it works:

permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000

By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.

Why does it work with source any?

Regards,

Philip

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Eduardo Aliaga
Level 4
Level 4

‎07-02-2013 10:24 PM

Hello Philip

The dACL has only one direction: from the workstation to the switch. So the "source IP address" will always be the IP address of the endpoints connected to the port.

Because DHCP is used most of the times and to simplify the dACL, the "source IP address" will use a "special any" which will always be replaced by the IP address of the endpoint. If there are two different endpoints (like a cisco ip phone and a workstation) then you could use independent dACLs for each endpoint: the "any" of dACL for IP Phone will be replaced by the ip address of the ip phone, and the "any" of dACL for workstation will be replaced by the ip address of the workstation.

You can verify this behavior by using "show ip access-list int "

PLease rate if it helps

0 Helpful

mmangat
Level 1
Level 1

‎07-02-2013 11:25 PM

Hello,

check if the IOS version and hardware platform (switch) you're using  is mentioned in TrustSec document (page 6):

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

The minimum IOS version to use with ISE should be 12.2(55),  but generally it's better to use 15.x.

Also, check if you have  configured everything that is recommended for switch devices in TrustSec  (page 59), including "ip device tracking".

There's also a very nice  document for troubleshooting:

"Cisco  TrustSec How-To Guide: Failed  Authentications and Authorizations"

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

If it  doesn't work, can you post the output of  the following commands after authorization:

show  authentication session interface

sh ip  access-lists interface

show running-config  interface

show access-list

sh  ip access-lists

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents