02-03-2020 09:10 AM - edited 02-03-2020 09:12 AM
I have some older Catalyst 3560's with IP Services that are running as L3 access switches (IOS 15.0(2)SE11). I have 802.1x authentication/authorisation working with these with the Radius server sending a DACL via a Cisco AV-Pair (ip:inacl#10=permit ip x.x.x.x x.x.x.x). I am using MS NPS for Radius and I have two 802.1x policies - Computer & User. The Computer policy is triggered if the Machine Group is matched and the User Policy if the User Group is matched. With this I can provide limited access to machines that aren't logged on (for example: ip:inacl#10=permit ip any 192.168.0.0 0.0.255.255) and then wider access when a user logs on (ip:inacl#10=permit ip any any).
With IOS 15.0(2)SE11 if I include any IPv6 ACE's in the DACL they are simply ignored by the switch. I added 'ipv6:inacl#30=permit ipv6 any any' to the NPS policy but the switch just seems to ignore it. My assumption is that there is just no support for this at all (the output of the 'show authentication sessions interface x/x' doesn't have a line for the IPv6 address.
I recently replaced one of the 3560's with a 3560X running 15.2(4)E9 and applied the same configuration as the old 3560. Initially 802.1x didn't work and after some debugging I realised that the IPv6 ACE on the NPS server was causing the issue. I removed the 'ipv6:inacl#30=permit ipv6 any any' from the Cisco AV-Pair on the NPS server and 802.1x started to work.
The 'show authentication sessions interface x/x detail' command on the 3560X has lines for 'IPv4 Address:' and 'IPv6 Address:' in the output, although there was nothing initially shown in the IPv6 Address line. After some digging on CCO I enabled IPv6 device tracking (ipv6 snooping policy) and now I get the link local and any global IPv6 addresses that are discovered on the L2 interfaces as well as the IPv4 address (MAC & L3 addresses changed obviously):
cat-3560x#show authentication sessions interface gigabitEthernet 0/2 details
Interface: GigabitEthernet0/2
MAC Address: 1111.1111.1111
IPv6 Address: FE80::45E8:ED67:B777:EAB0, 2001:0000:0000:0000:45E8:ED67:B777:EAB0, 2001:0000:0000:0000:79A8:F33A:8CCD:DE7B
IPv4 Address: 192.168.1.1
User-Name: DOMAIN\username
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: 10800s (server), Remaining: 1669s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A3E01FE0000034D9D016B5D
Acct Session ID: 0x00000435
Handle: 0x99000098
Current Policy: POLICY_Gi0/2
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Per-User ACL: GigabitEthernet0/2#v4#7CEDE84
: permit ip any any
Method status list:
Method State
dot1x Authc Success
I thought that this IPv6 device tracking may fix the issue I was seeing with the NPS server sending the IPv6 ACE, however I get the same behaviour and the port fails authorisation when the NPS server sends the IPv4 and IPv6 ACE's and works fine when just the IPv4 ACE is sent.
So, the question is can this be achieved? i.e. Can the Catalyst 3560X interpret the Cisco AV-Pair sent from the NPS server to apply both an IPv4 and an IPv6 DACL?
11-26-2021 06:07 AM - edited 11-26-2021 08:39 AM
I gave up on troubleshooting this any further on the 3560X a while ago, however I've got a couple of 3560CX compact switches which are running IOS 15.2(7)E5. With the 3560CX the IPv6 DACL works. It isn't shown in the output of 'show authentication sessions interface x/x detail', however if you do 'show ipv6 access-list' there is a per-user IPv6 ACL for the interface and it blocks the traffic.
This is obviously something that was identified as an issue in the IOS 15.2(4)Ex software and has been fixed/added to the C3560CX software.
With the C3560X 15.2(4)E10 IOS I get this RADIUS debug message
131621: Nov 26 13:44:58.616 GMT: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (1803.732a.9695) on Interface Gi0/2 AuditSessionID 0A3E01FE000035AB413FC465
When it receives the AV Pair with the IPv6 DACL in it (ipv6:inacl#10=permit ipv6 any any).
In the release notes for 15.2(7)E0a it states:
So it looks like I am out of luck regarding dACLs with the 3560X/3750X series. And since they went end-of-support last month, is there any chance this will be added/fixed?
Andy
12-21-2022 04:28 AM
Do you have the SDM set for IPV4/IPV6, or the default?
I read somewhere that in order to apply IPv6 ACL's that the SDM needs to be changed first.
If that's not it, have you tried just sending the IPv6 dacl without any IPv4 entries?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide