DACL to switch
Hi I have dot1x authorization policy on my ISE server, whith result few statements in DACL
Device Authorize successfull, DACL is pushing to switch
Current configuration : 484 bytes
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
end
sh access-lists
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (2 matches)
20 permit udp any any range bootps 65347 (15 matches)
30 deny ip any any (90 matches)
Extended IP access list default_acl
10 permit ip any any (602 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5106859d (per-user)
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
20 permit ip any host 10.1.1.20
30 permit udp any host 10.8.13.11 eq domain
40 permit udp any host 10.8.13.12 eq domain
50 deny ip any any
#sh authentication sessions interface f0/4
Interface: FastEthernet0/4
MAC Address: 0023.8b84.fa32
IP Address: 10.110.11.254
User-Name: krasnoperov_as
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-standart_vpn-5106859d
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6E0A0400000079A121E4DE
Acct Session ID: 0x00000EE3
Handle: 0x2C000079
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
BUT it's not applayed to my session, default_acl on port is still applayed, from this PC I have any any access, like in default ACL defined.
Why it's happens?
thanks
Hi, ACL which I wat to applay from ISE server is this:
permit ip any host 10.1.1.20
permit udp any host 10.8.13.11 eq 53
permit udp any host 10.8.13.12 eq 53
deny ip any any
this line was
10 permit tcp any 0.0.0.0 255.255.255.0 eq 3389
for ASA acl, it's incorrect, I delete it.
ARHIV-ROOM36#sh ip access-lists
Standard IP access list 21
10 permit 10.8.39.33 (7648 matches)
20 permit 10.5.45.95 (4298 matches)
30 permit 10.5.45.164
40 permit 10.1.1.206
50 permit 10.1.1.248
60 deny any (4 matches)
Standard IP access list 23
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (34 matches)
Extended IP access list 101
10 permit ip any any
Extended IP access list 117
10 permit ip any any
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (15 matches)
20 permit udp any any range bootps 65347 (6 matches)
30 deny ip any any (10 matches)
Extended IP access list default_acl
10 permit ip any any (98 matches)
Extended IP access list xACSACLx-IP-standart_vpn-5107cb73 (per-user)
10 permit ip any host 10.1.1.20
20 permit udp any host 10.8.13.11 eq domain
30 permit udp any host 10.8.13.12 eq domain
40 deny ip any any
ARHIV-ROOM36#sh authentication sessions interface f0/4
Interface: FastEthernet0/4
MAC Address: 0023.8b84.fa32
IP Address: 10.110.11.254
User-Name: krasnoperov_as
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-standart_vpn-5107cb73
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6E0A040000003E015EC308
Acct Session ID: 0x0000004E
Handle: 0x6700003F
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
ARHIV-ROOM36#sh ip access-lists interface fastEthernet 0/4
ARHIV-ROOM36#
What kind of debug I should enable, because if I debug all - my switch is going down
Similar Messages
-
Hi,
I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
In the switch we have used the following static ACL:
ip access-list extended TEST
10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
I added it to ISE like this:
permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
But that doesn't work. However, when I change the source to any then it works:
permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
Why does it work with source any?
Regards,
PhilipHello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists -
hello,
could anyone please post screen capture of ISE posture configuration ( and remediation )
I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
Authentification and authorizations policies not needed.
posture and remediation policies not needed.
The issue is about ACLs (I guess)
Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
My IOS is 122.55 SE or 52 SE
Thank you by advance.
Best regards.
V.Hi Venkatesh,
Your the ultimate ISE Guru !!
You're right
Thanks a lot.
See screen captures and Sw config below
aaa new-model
aaa group server radius ISE
server 192.168.6.10 auth-port 1812 acct-port 1813
server 192.168.6.10 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
ip dhcp snooping
ip device tracking
dot1x system-auth-control
dot1x critical eapol
interface FastEthernet1/0/1
switchport mode access
ip access-group ACL-ALLOW in
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 192.168.6.10 eq 8905
deny udp any host 192.168.6.10 eq 8906
deny tcp any host 192.168.6.10 eq 8443
deny tcp any host 192.168.6.10 eq 8905
deny tcp any host 192.168.6.10 eq www
permit ip any any
snmp-server community snmp RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 public
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
V. -
DACL does not get downloaded to Cisco Switch from ISE
Hello,
I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply
Any instruction plz?Hi Jatin,
ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.
following is the debug output>>
06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name [1] 6 "test"
06:36:43: RADIUS: Service-Type [6] 6 Framed [2]
06:36:43: RADIUS: Framed-MTU [12] 6 1500
06:36:43: RADIUS: Called-Station-Id [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message [79] 8
06:36:43: RADIUS: 02 7A 00 06 0D 00 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0 [ Z6]
06:36:43: RADIUS: Vendor, Cisco [26] 49
06:36:43: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:43: RADIUS: NAS-Port [5] 6 50011
06:36:43: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address [4] 6 192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: EAP-Message [79] 255
06:36:43: RADIUS: 4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS: 02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS: 81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS: 30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS: 6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS: 72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS: 64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS: 5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS: 65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS: 72 75 73 74 65 64 43 41 2E [ rustedCA.]
06:36:43: RADIUS: EAP-Message [79] 251
06:36:43: RADIUS: 63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS: 74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS: EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS: D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS: 82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4 [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33 [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44: dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){ 2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS: F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5 [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco [26] 49
06:36:44: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:44: RADIUS: NAS-Port [5] 6 50011
06:36:44: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State [24] 80
06:36:44: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE -
Dacl on ACS 5.1 and Catalyst switch 3560
Dear all
I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
This authrization profile is used on access policy.
I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
11003 Returned RADIUS Access-Reject
DACL:
deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
permit ip any any log
Thanks on advance,Dear Tiago
I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
Dec 13,10 10:29:00.513 AM
00-23-AE-7A-58-A6
00-23-AE-7A-58-A6
Default Network Access
Lookup
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
22056 Subject not found in the applicable identity store(s).
Dec 13,10 10:28:29.186 AM
#ACSACL#-IP-Guest-4cfcc14d
Dot1x-3560-Switch
1.2.3.4
TESTACS
Dec 13,10 10:28:28.726 AM
acstest
00-23-AE-7A-58-A6
Default Network Access
PEAP (EAP-MSCHAPv2)
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
Thanks, -
Understanding ISE and dACL.
I don't understand correlation between ACL and dACL.
If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
Regards,
ViceHi,
Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies. It overrides any standard interface ACL.
Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication. -
ACS 4.2 and dACL on Catalyst switches
Hello
I have ACS 4.2.0.124p14, 3750-48PSS switch with 12.50.SE3 and test PC running Windows XP. PC authenticated by MAB and switch correctly download dACL from ACS. But if dACL contains more than ~10 lines traffic not passed thru port (dACL downloaded correctly). Does anybody know why traffic is blocked or how I can debug this or any restrictions in dACL construction.
Regards,
StanislavThis is what I understand; The port is getting authorized fine, DACL are being sent by the radius server and are getting applied to the concern port but its not taking effect. This is an on going issue..we have seen many cases with this.
As you said uf there are more then 10 lines then only its not working...In that case There is an internal bug on this: CSCsf14450: DACL not consistently downloaded to switch during MAB testing.
HTH
JK
Do rate helpful posts- -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
ISE 1.2: Airspace ACL vs DACL
Can someone please shed some light here:
I have a 5508 WLC & ISE 1.2. I configured Guest Access through the use of a Sponsor Portal, and got it working.
I now want to restrict my Guest users to access the internet only and not the rest of my network.
Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.
I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.
Any advice please.In ISE, dACLs are only applicable to switches. They are ineffective with wireless connections.
An Airespace ACL is the way to go and it looks like you got it working.
The ACL should be:
permit Inbound for any to the ISE IPs and permit outbound from ISE to any.
deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)
permit any to any in any direction -
ISE & Switch URL redirect not working
Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
Interface: FastEthernet0/3
MAC Address: f0de.f180.13b8
IP Address: 10.0.93.202
User-Name: F0-DE-F1-80-13-B8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A005DF40000000D0010E23A
Acct Session ID: 0x00000011
Handle: 0xD700000D
Runnable methods list:
Method State
mab Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions : 1
Interface IP Address MAC Address Audit Session Id:
FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS? -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
How to create a custom DACL in ISE
Hello once again,
I'm puzzled over the note that I found at
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540
Namely the one that says:
The Name and DACL Content fields require that values be entered and are marked with an asterisk (*).
How would I interpret it? What's the proper syntax to create an DACL?
I created my own one the way I would do it in ACS, i.e.
ip:inacl#1=permit udp any host 192.168.1.100 eq 53
ip:inacl#1=deny ip any 192.168.1.0 255.255.255.0
ip:inacl#2=permit ip any any
But it doesn't work when I apply it to the authorization profileSorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Here is the note that metions this in the release notes:
4
Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB).
thanks,
Tarik Admani
*Please rate helpful posts* -
Cisco ISE 1.2 Checking DACL Syntax
Greetings,
When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:
Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):
permit
deny
remark
no
It doesn't appear that my DACLs are giving any errors when is use, so is this just an aesthetic error or do I need to go through and change all fo my DACLs to reflect this?
Thank You for any input!Hello David,
I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.
"permit tcp any any established"
It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.
I clicked yes and moved ahead. I then check the dacl syntax and it says
Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.
Finally, I tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.
In your case if you are using remarks with dot1x and mab, please keep a watch on this defect
CSCuj35704 Remark in DACL causing dot1x and MAB authorization failure
Regards,
Jatin Katyal
**Do rate helpful posts** -
On version ISE 1.2.0.899 is there a way to log the drops that the endusers DACl enforces?
Hello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists -
Which way to enforce policy for endpoint from gateway router instead of switch
Dear team,
I am proposing ISE to customer. They want to deploy ISE as central authentication and policy point for users in branches. I would like to ask if this scenario is possible or not:
- When user client is plugged into access switch, the switch will use 802.1x or MAB in switch port
- After authentication, as normal method, we will push a dACL or VLAN change from ISE to switch in authorization statements. But customer dont want to apply port ACL on switch. They want to enforce policy from the gateway Router.
So is there any way to do that? I'm thinking about SGT but I dont have any experience on it. Please help to solve this problem. Thank you very much.
Kind regards,
Hiep Nguyen.Hiep,
You can use authentication proxy to push ACLs for users on the router. However the port based ACL is your best approach because you can determine authorization at the port level and if the user moves so does the policy.
thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
Adobe lightroom asking for serial number each time I open it. Any suggestions?
I just downloaded Lightroom 5 and updated to 5.7 when prompted on completion of the process. I now have to input the serial number each time I open the programme. Is there any thing I can do, restarting the installation for example, to try and get ro
-
Impact of Oracle Grid on TimesTen
Hi, One of our client is using TimesTen (11.2.1.8.0) in memory cache with Oracle(11.2.0.1.0 ) as the underlying database. They want to configure Oracle Grid to monitor the Oracle Database in the production environment. Logically there should be no im
-
Use spacebar to check/uncheck a checkbox in a datagrid.
I have a DataGrid that has checkbox in the first column. The user wants to be able to check/uncheck the checkbox when he selects a row, by mouse or up and down keys, and hits the spacebar. Currently the spacebar functions if the last thing that the u
-
Adding a field to Shopping card item level.
Hi Experts, I want to add field in the shoppping card item level, i have refer OSS note 458591, as per that i have to create one structure with the name Ci_bbp_item_sc and add the required field in that, can anyone tell me that by simplay creating st
-
I recently noticed that my Trash mailbox had over 8,000 messages in it, so I figured I'd delete some. I picked the least recent 6,000 or so, hit Cmd-Delete, and not much seemed to happen. I figured it was just taking a while, so I came back a while l