ACS ACL: Are not Getting Downloaded (Problem with few different types of hardware)

widarsson · ‎10-11-2018

Hi,

I'm experiencing problem with different types of hardware not getting the ACS ACL downloaded from ISE.
I don't know when it happened, possible that it appeared during some latest IOS upgrades, but not sure.
- The problem seems to appear on machines/hardware which do not send DHCP REQ's/ARPing etc.

I've tried upgrading the Switch Hardware; c3750e-universalk9-mz.152-4.E7.bin (No success)
Running IOS; c3750e-universalk9-mz.152-4.E6.bin
ISE version;
Version:    1.4.0.253
Patch Information:    3

The dACL accesslist that is getting downloaded;
Extended IP access list xACSACLx-IP-dACL-MA-STORES-XXX-5bbdbe17 (per-user)
    1 permit ip any 90.212.188.64 0.0.0.63
    2 permit ip any 90.212.188.128 0.0.0.127
    3 permit ip any 90.208.148.64 0.0.0.63
    4 permit udp any host 15.80.5.21 eq domain
    5 permit udp any host 15.56.23.21 eq domain
    6 permit udp any host 15.60.13.21 eq domain
    7 permit udp any host 15.62.0.64 eq domain
    8 permit udp any host 15.62.0.65 eq domain
    9 permit icmp any any
    10 deny ip any any log

I've found a workaround by do a ICMP towards the hardware from the CPE-Router on the same network. But it hasn't been evaluated for weeks now so not sure if it's solid and its not a working workaround due to the ammount of devices.

Working authentication interface information Status;
SEXXX-AAAXXX-AAAA-SW01#show authentication sessions interface gigabitEthernet 1/0/1 det
            Interface: GigabitEthernet1/0/1
          MAC Address: 000f.b605.0000
         IPv6 Address: Unknown
         IPv4 Address: 10.50.133.38
            User-Name: 00-0F-B6-05-00-00
               Status: Authorized
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: in
      Session timeout: N/A
      Restart timeout: N/A
Periodic Acct timeout: N/A
    Common Session ID: 000000000000001703676C8B
      Acct Session ID: 0x0000000D
               Handle: 0x7E00000B
       Current Policy: POLICY_Gi1/0/1

Local Policies:
   Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group: Name: MA-STORES-XXX, Vlan: 570
              ACS ACL: xACSACLx-IP-dACL-MA-STORES-XXX-5bbdbe17

Method status list:
       Method           State
       dot1x            Stopped
       mab              Authc Success

Not working authentication interface information Status;
SEXXX-AAAXXX-AAAA-SW01#show authentication sessions interface gigabitEthernet 1/0/1 det
            Interface: GigabitEthernet1/0/1
          MAC Address: 000f.b605.0000
         IPv6 Address: Unknown
         IPv4 Address: 10.50.133.38
            User-Name: 00-0F-B6-05-00-00
               Status: Authorized
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: in
      Session timeout: N/A
      Restart timeout: N/A
Periodic Acct timeout: N/A
    Common Session ID: 000000000000001703676C8B
      Acct Session ID: 0x0000000D
               Handle: 0x7E00000B
       Current Policy: POLICY_Gi1/0/1

Local Policies:
   Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group: Name: MA-STORES-XXX, Vlan: 570
<--------- THIS LINE IS MISSING ----------------- >

Method status list:
       Method           State
       dot1x            Stopped
       mab              Authc Success

#Switchport configuration are;
interface GigabitEthernet1/0/1
description Switchport1
switchport mode access
switchport protected
switchport block unicast
ip arp inspection limit rate 20
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 2
dot1x timeout supp-timeout 20
dot1x timeout held-period 300
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 20

#Global configuration that could be related (IPDT)
ip device tracking probe count 5
ip device tracking probe delay 30

Georg Pauwen · ‎10-11-2018

Hello,

hard to say what is causing this. Is it an option to configure a port with just the basic config:

interface GigabitEthernet1/0/1
description Switchport1
switchport mode access

spanning-tree portfast edge

and then add the other config parts one by one, in order to find out if any of the other lines applied to the switchport are causing this ?

widarsson · ‎10-11-2018

Possible in a theoretical way, but i'm quite sure it's related to IP device tracking service, but not sure what to do about it due to that we only experience problem with two types of devices and it's only obscure devices.

widarsson · ‎07-15-2019

Just to get back with some information after problem troubleshooting.

We tried everthing and still haven't solved it.

But the device is obscure, 10mbit/half-duplex, very old hardware etc. Feels like some kind of ARP issue of the device itself.

A workaround we found out were to setup monitoring service and send ICMP echo request to get the device to always be alive and also to response from network abroad, in that case it did get a dACL.

Very strange, i will try get back if we ever found a root cause of this.
(The hardware is some kind of IP-alarm module/node)