Re: Dynamic Acl with Radius

BorislavPenchev0962 · ‎03-09-2023

Hi all,

we noticed that with Catalyst 9300 new IOS dynamic access-lists were introduced, tired to assign a Dyn. ACL over Radius Server:

pass Cleartext-Password := pass
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 303,
Cisco-AVPair = ip:fqdn-redirect-acl#10=permit udp any host 10.0.1.21 eq domain,
Cisco-AVPair += ip:fqdn-redirect-acl#20=permit ip any host dynamic *.apple.com,
Cisco-AVPair += ip:fqdn-redirect-acl#30=deny ip any any

on the Switchport we see the ACL assigned, but it does not function. Could that be related to the order of lines?
„deny ip any any" goes above all other lines, but in configuration we put it as last line command, we do not understand this change?

gogotest#sh access-session interface tw1/0/3 de
Interface: TwoGigabitEthernet1/0/3
IIF-ID: 0x1EE319408
MAC Address: 1111.ee17.1234
IPv6 Address:
IPv4 Address: 172.51.100.192
User-Name: pass
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 300s (local), Remaining: 1s
Common Session ID: 00000000000000519CF942D1
Acct Session ID: 0x00000049
Handle: 0xc0000047
Current Policy: 802_1X-POLICY

Server Policies:
Per-User redirect ACL: Tw1/0/3#v4-redirect#1EE31508
: deny ip any any
Per-User redirect ACL: Tw1/0/3#v4-redirect#1EE31508
: permit ip any host dynamic *.apple.com
Per-User redirect ACL: Tw1/0/3#v4-redirect#1EE31508
: permit udp any host 10.0.1.21 eq domain
Vlan Group: Vlan: 303

may you please advise us where to look at ?

balaji.bandi · ‎03-09-2023

what radius server you using,

can you post AAA config and port configuration from switch ? ( also provide what IOS Xe code running ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BorislavPenchev0962 · ‎03-13-2023

Version 17.06.03

here the AAA outputs:

aaa group server radius cisco-auth\
 server name v4_radius01\
 server name v6_radius01\
 server name v4_radius02\
 server name v6_radius02\
 
 
aaa group server radius dot1x-auth\
 server name dot1x-radius02_v4\
 server name dot1x-radius01_v4\
 server name dot1x-radius02_v6\
 server name dot1x-radius01_v6\
 load-balance method least-outstanding\
 
 
aaa authentication login default local\
aaa authentication login MERAKI local\
aaa authentication login FHV-RADIUS group cisco-auth\
aaa authentication dot1x default group dot1x-auth\
aaa authorization exec default local \
aaa authorization exec MERAKI local \
aaa authorization exec FHV-RADIUS group cisco-auth \
aaa authorization network default group cisco-auth local \
aaa accounting update newinfo periodic 5\
aaa accounting identity default start-stop group dot1x-auth\
aaa accounting exec default start-stop group cisco-auth\
aaa accounting network default start-stop group cisco-auth\

aaa session-id common\
boot system switch all flash:packages.conf\
clock timezone CET 1 0\
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00\
switch 1 provision c9300-48uxm\
software auto-upgrade enable\

port config

Name: Tw1/0/3
Switchport: Enabled\
Administrative Mode: static access\
Operational Mode: static access\
Administrative Trunking Encapsulation: dot1q\
Operational Trunking Encapsulation: native\
Negotiation of Trunking: Off\
Access Mode VLAN: 1050
Trunking Native Mode VLAN: 1 (default)\
Administrative Native VLAN tagging: enabled\
Voice VLAN: none\
Administrative private-vlan host-association: none \
Administrative private-vlan mapping: none \
Administrative private-vlan trunk native VLAN: none\
Administrative private-vlan trunk Native VLAN tagging: enabled\
Administrative private-vlan trunk encapsulation: dot1q\
Administrative private-vlan trunk normal VLANs: none\
Administrative private-vlan trunk associations: none\
Administrative private-vlan trunk mappings: none\
Operational private-vlan: none\
Trunking VLANs Enabled: ALL\
Pruning VLANs Enabled: 2-1001\
Capture Mode Disabled\
Capture VLANs Allowed: ALL\
\
Protected: false\
Unknown unicast blocked: disabled\
Unknown multicast blocked: disabled\
Vepa Enabled: false\
App Interface: false\
Appliance trust: none\
\

BP

MHM Cisco World · ‎03-09-2023

Cisco-AVPair += ip:fqdn-redirect-acl#30=deny ip any any <<- remove this it have not effect by default any PACL (dACL) have implicit deny any any in end.

BorislavPenchev0962 · ‎03-14-2023

In access-session now shows correct, but access to server still does not work:

go1s#sh access-session interface tw1/0/3 de
Interface: TwoGigabitEthernet1/0/3
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 300s (local), Remaining: 239s
Common Session ID: 0000000000000014SA624F03
Acct Session ID: 0x00000010
Handle: 0xf900000a
Current Policy: 802_1X-POLICY

Server Policies:
Per-User redirect ACL: Tw1/0/3#v4-redirect#1EE31508
: permit ip any host dynamic *.apple.com
Per-User redirect ACL: Tw1/0/3#v4-redirect#1EE31508
: permit udp any host 10.0.1.21 eq domain
Vlan Group: Vlan: 303

cb@cb-mb ~ % dig @10.0.1.21 www.apple.com
; <<>> DiG 9.10.6 <<>> @10.0.1.21 www.apple.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached