Please help me to understand switch behavior, sometimes I see in the auth session result an ACL policy called OPEN DIR ACL
It looks like this
SW_1#sh authentication sessions interface gigabitEthernet 1/1 de Interface: GigabitEthernet1/1 MAC Address: aaaa.bbbb.cccc IPv6 Address: Unknown IPv4 Address: 18.104.22.168 User-Name: aaaabbbbcccc Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: 36000s (local), Remaining: 35938s Session Uptime: 73s Common Session ID: AC132FC5002749CD57B94254 Acct Session ID: 0x0001672F Handle: 0x4C000148 Current Policy: POLICY_Gi1/1 Local Policies: OPEN DIR ACL: Open-Dir-ACL Service Template: GUEST_VLAN_Gi1/1 (priority 150) Vlan Group: Vlan: 999 Method status list: Method State dot1x Stopped mab Stopped
switchport access vlan 666
switchport mode access
ip access-group ACL-DEFAULT in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 3
The port goes to guest-access I think, cause there was 3 EAPOL Req without response from Host.(I captured it)
But what is this ACL applied Open-Dir-ACL??
In fact it`s a regular permit ip any any, but I can`t understand how it works, also it(Open-Dir-ACL) may disappear after some time.
Please help me, maybe it`s something easy, but not for me =)
It is probably due to open directive:
"To control access for hosts with no authorization policy, you can configure a directive. The supported values for the directive are open and default . When you configure the open directive, all traffic is allowed. The default directive subjects traffic to the access provided by the port. You can configure the directive in the user profile on the AAA server or on the switch. To configure the directive on the AAA server, use the authz-directive =<open/default> global command. To configure the directive on the switch, use the epm access-control open global configuration command."
Thanks, it`s really looks like epm access-control open command result.
But it looks strange, we have no authorization policy resieved, because the port have no supplicant for example.
But we have a MAB configured and MAB fails on the port(switch recieved Access-Reject due to the Default rule in the Policy set)
Host must have no access(except of pre-Auth acl accepted), but switch apply "permit ip any any".