ISE v1.1 ACL merging?

Hello all,
I would like ask you about some technology help ..
Customer would like create policy model for remote-access services based on „roles“. For example :
User1 is member of GroupA in LDAP and is member of GroupB as well.
Security GroupA specify access to some resources (can be represented as ACL, ACL-A), security GroupB is represented as other pool of resources (as well can be represented as ACL, for example ACL-B).
Final status is, if VPN client will connect, he will get authorization based on both ACL-A and ACL-B.
How can we dynamicaly provide „merging“ of ACLs ?
ACL merging can’t be provided manualy, because there can be more then 2 security groups and there are more VPN users, which can have various combination of security groups membership.
Thanks a lot for your help,
Regards,
Peter

Similar Messages

Using ISE to assign ACL's for VPN users

Hi,
I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
Does anyone know of a good document or training video knocking about that I can use?
Thanks
Jason

Jason,
If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
Thanks,
Tarik Admani
*Please rate helpful posts*

3850 mobility - - named ACLS From ISE

Hi all
i'm middle in the test for 3850 MC- Downloadable ACLs, i settle up at ISE and working good in 2960. But as you know
when i use DACL with WLC(3850). ISE just send ACLs name and WLC get that ACLs name then ACLs working on.
But i think ISE send a acls name but wlc not working... i already double check acls name..and.. what?
So do you have any document for this? Step by Step.
thank you

thank you salodh
OK Not a downlodable ACLs in WLC, I want know is ISE give a named ACLs to WLC and ACLs works in
WLC for Wireless Client. am i clear?
i configured ACLs of WLC at ISE and also made same acl in WLC but ACLS didn't work.

3850 controller ACL working with ISE

Hi all
I was wondering if anyone can point me to the right direction. I was setting up BYOD access with ISE and Legacy controllers as follows:
- create rule on ISE with Redirect / Airspace ACL
- once that rule is hit ISE would send ACL name that needs to be applied on the controller (i.e. NSP-IOS )
- controller would need to have the same ACL created locally with matching name
- there are certain rules on old controllers allowing inbound / outbound traffic + denying traffic to be redirected
now I want to use the same principle with 3850 controller.
question is -> where do I configure this ACL, globally or under WLAN.... Also, what about direction - inbound / outbound that used to be the case with legacy controllers?

The ACl should be under the WLAN

Cisco ISE and WLC Access-List Design/Scalability

Hi,
I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
User group 1 -- Apply ACL 1 --On Vlan 1
User group 2 -- Apply ACL 2 -- On Vlan 1
User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
Any suggestion is appreciated.
Thanks.

Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues.
Overall, I see three ways to overcome your current issue:
1. Shrink the ACLs by making them less specific
2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
3. Use SGT/SGA
Hope this helps!
Thank you for rating helpful posts!

ACE Issue - while processing merged list

Hi guys,
After aplly the configuration, errors appeared in ACE
“jul 10 2012 19:44:21 : %ace-1-106028: warning: unknown error X while processing merged list. incomplete rule is currently applied on interface vlan120. configuration on this interface needs to be manually reverted”
“config application in progress. this command is queued to the system”
The configuration caused service break of several network components for no apparent reason. During about 10 minutes, which was not possible to perform configuration or rollback.
Can you help me?
Thanks

Hello Luis,
Here you have the explanation of the logging message:
106028
Error Message    %ACE-1-106028: String Incomplete rule is currently applied on
interface interface-name. Manual rollback to a previous access rule configuration
on this interface is needed.
Explanation    Possible String values are:
•WARNING: Access rules memory exhausted while processing component
•WARNING: Unknown error while processing component
Possible values for component are
•Access-list
•Service-policy
•Merged list
For example:
WARNING: Unknown error while processing service-policy. Incomplete rule is currently applied on interface VLAN100. Manual roll back to a previous access rule configuration on this interface is needed.
The access control list (ACL) compilation process has run out of memory, which does not allow new ACL entries to be applied to the specified interface. The ACL configuration downloaded in hardware for that interface may not be in a known state because of this failure.
Recommended Action    The ACL configuration downloaded to the network processors is incomplete. Remove and recreate the affected interface to recover to a known state. If the message is "Access rules memory exhausted," either allocate more memory to that context or remove some of the access group or service policy configuration to reduce the memory usage. If the message is "Unknown error," then there may be an issue with the configuration manager or the ACL merge process.
In order to make sure about what might have happened, then it might be required to replicate the issue and then run some debugs to get more useful data and a #show tech-support
Also, there are some bugs which are also related to the syslog message which you are reporting.
Hope this helps.
Jorge

ACE 20 Modular - show tech too large

Hi
A Client sent me a show tech of this ACE 20, is inserted into a VSS, but this file is very large, the reason is a command "show acl-merge merged-list vlan 93".. Somebody can tell me is this information is normal, or not, I think that is possible attack point to the farm server. the service is up, in the other ace20. the symptom is can not reach the VIP of the service.
`show acl-merge merge vlan 93 in`
All ACEs in merged list 5 Total:6377 Non-redundant:5608
Priority:164, Lineno:0, ACE-id:61470 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
Hash1:0x0 Hash2:0x0
Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
Parent:: feature:TO CP ace-lineno:2 ACL priority:16779265[G:0,P:1,C:8,ACL:1]
Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
Intertype:TERMINATE
IP address SRC:0.0.0.0/0.0.0.0 DST:172.23.98.20/255.255.255.255
Ports SRC:RANGE 8 8 DST:RANGE 0 0
Protocol:1
Hit Count:0 Active:TRUE Timerange:0
Priority:326, Lineno:0, ACE-id:61471 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
Hash1:0x0 Hash2:0x0
Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
Parent:: feature:TO CP ace-lineno:2 ACL priority:16781313[G:0,P:1,C:16,ACL:1]
Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
Intertype:TERMINATE
IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.51/255.255.255.255
Ports SRC:RANGE 8 8 DST:RANGE 0 0
Protocol:1
Hit Count:0 Active:TRUE Timerange:0
Priority:487, Lineno:0, ACE-id:61472 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
Hash1:0x0 Hash2:0x0
Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
Parent:: feature:TO CP ace-lineno:2 ACL priority:16783361[G:0,P:1,C:24,ACL:1]
Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
Intertype:TERMINATE
IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.51/255.255.255.255
Ports SRC:RANGE 8 8 DST:RANGE 0 0
Protocol:1
Hit Count:0 Active:TRUE Timerange:0
Priority:647, Lineno:0, ACE-id:61473 Action:PERMIT, Path-id:0x81/0x0/0x0:6/0[6/]
Pmap:0x5, Log:FALSE/FALSE[FALSE][FALSE], Interval:0/0[0][0]
Hash1:0x0 Hash2:0x0
Generated:TRUE, need-to-add-in-comp:NO_ACT_NEEDED, redundant:FALSE
Parent:: feature:SECURITY ace-lineno:8 ACL priority:0[G:0,P:0,C:0,ACL:0]
Parent:: feature:TO CP ace-lineno:2 ACL priority:16785409[G:0,P:1,C:32,ACL:1]
Feature:SECURITY Policy:1[1][1] sec-level:0x0 Intratype:SKIP
Feature:TO CP Policy:1[1][1] sec-level:0x0 Intratype:TERMINATE
Intertype:TERMINATE
IP address SRC:0.0.0.0/0.0.0.0 DST:165.183.93.61/255.255.255.255
Ports SRC:RANGE 8 8 DST:RANGE 0 0
Protocol:1
Hit Count:0 Active:TRUE Timerange:0

Hi.
We reboot the ACE20, and let one contex in this module.. The services is OK now, but my only doub is why the show tech-support is too large and appear the out of command show acl-merge merged-list vlan 93, with a lot of line..
I try to run command "show tech-support" again and submit.

ACE cli alias configuration

is there any possibillity to cinfigure an cli alias on ACE ?
I am wondering that a "show alias" is possible:
ACE/Admin# show alias
CLI alias commands
==================
ACE/Admin#
but the "normal" alias configuration doesn´t work, eg:
ACE/Admin(config)# cli alias name shint show interface
                              ^
% invalid command detected at '^' marker.
I use the following SW:
Cisco Application Control Software (ACSW)
loader:    Version 12.2[120]
system:    Version A2(1.4a) [build 3.0(0)A2(1.4a) adbuild_12:09:43-2009/04/08_/auto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4A]
thx

Hi,
I don't think that ACE supports alias commands.
Indeed, the show alias command works, but is a hidden commandP:
ACE/Admin# show a
aaa          access-list accounting   acl-merge    arp
ACE/Admin# show alias
CLI alias commands
==================
ACE/Admin#
also in config mode, no command to configure aliases.
Looking in the command reference guide, no alias commands either.
So I don't think you can create alias commands (maybe in the future?)
I'm running A2(2.2)
HTH,
Dario

ISE 1.2 and ACL's with multiple ports

When creating a DACL for my groups I used the Syntax " permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl's inside the DACL and the syntax check validated it. When I pushed it to my groups it also worked but I have heard that this type of multiple port ACL in ISE is not supported. Does anyone know if this is accurate?

Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac.

ISE 1.2: Airspace ACL vs DACL

Can someone please shed some light here:
I have a 5508 WLC & ISE 1.2. I configured Guest Access through the use of a Sponsor Portal, and got it working.
I now want to restrict my Guest users to access the internet only and not the rest of my network.
Do I do that using a Airspace ACL & an Access List on my WLC or a DACL on my ISE box.
I'm not sure how to block the users from accessing my internal network, since I have tried both, but neither work.
Any advice please.

In ISE, dACLs are only applicable to switches. They are ineffective with wireless connections.
An Airespace ACL is the way to go and it looks like you got it working.
The ACL should be:
permit Inbound for any to the ISE IPs and permit outbound from ISE to any.
deny any to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 inbound (or just to your internal IP space)
permit any to any in any direction

ISE Airespace ACL WLC problem

Hello,
i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
2. At authZ page i've configured a WEBAUTH as a default rule with the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
3. I've also configured this ACL at WLC to permit
permit dns and icmp any-any
permit any-to-ise-8443
permit ise-to-any
This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
4. At authC page i've use a wireless dot1x to use Internal users
5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
6. GUEST rule looks like the following:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
I don't have a point what issue it could be...
Any ideas?
P.S. see attach for Live authentication log

Thank you guys for your responses, it's working now!
The first problem was there:
Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)
There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.
After that i changed my authZ matching rule to use another authZ profile:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = PERMIT_ALL_TRAFFIC
cisco-av-pair = Airespace:Airespace-ACL-Name
Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.
I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.
Thanks for the help!

ISE Authorization PermitAccess - EPM-HOLE-ACL

Hello,
I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess. Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT.
When I look at the logs I see:
Mar 27 18:14:02 EDT: %EPM-6-POLICY_APP_SUCCESS: IP aa.cc.dd.ee | MAC 001a.1111.2222 | AuditSessionID AC10FB8A0000007101BDF21B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME EPM-HOLE-ACL| RESULT SUCCESS
What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.

Kyle,
I do not know what the EPM-HOLE-ACL but found it a little comical. However, this is true that you have to apply another dacl to override the acl default which is applied on the port. Keep in mind you will also run into this issue if you decide to (i am basing this off the 2k 3k behavior) set a guest vlan if the radius server is dead, because of this default ACL the users will not be able to get anywhere outside of that acl.
There is a feature enhancment in the works to provide an acl if radius server is dead or when authentication fails...etc. However I think this ties all back into to your question, that if there isnt a dacl assigned to override the port acl then this seems to be the behavior.
Tarik Admani
*Please rate helpful posts*

NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

hello,
could anyone please post screen capture of ISE posture configuration ( and remediation )
I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
Authentification and authorizations policies not needed.
posture and remediation policies not needed.
The issue is about ACLs (I guess)
Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
My IOS is 122.55 SE or 52 SE
Thank you by advance.
Best regards.
V.

Hi Venkatesh,
Your the ultimate ISE Guru !!
You're right
Thanks a lot.
See screen captures and Sw config below
aaa new-model
aaa group server radius ISE
server 192.168.6.10 auth-port 1812 acct-port 1813
server 192.168.6.10 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 192.168.6.10 server-key 123456789
ip dhcp snooping
ip device tracking
dot1x system-auth-control
dot1x critical eapol
interface FastEthernet1/0/1
switchport mode access
ip access-group ACL-ALLOW in
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-POSTURE-REDIRECT
deny   udp any any eq domain
deny   udp any host 192.168.6.10 eq 8905
deny   udp any host 192.168.6.10 eq 8906
deny   tcp any host 192.168.6.10 eq 8443
deny   tcp any host 192.168.6.10 eq 8905
deny   tcp any host 192.168.6.10 eq www
permit ip any any
snmp-server community snmp RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.6.10 public
snmp-server host 192.168.6.10 version 2c snmp mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication
V.

ISE Node Failure & Pre-Auth ACL

Hi All,
I would like to know that, what should be the best practice configuration for following points,
1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
Here is the port configuration and pre-auth ACL which I am using in my network,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks & Regards,
Mujeeb

Hi,
I am using following configuration on the ports,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks

The right ACL-POSTURE-REDIRECT in ISE

I have an issue in ACL-POSTURE-REDIRECT to download the NAC agent. I got the right page to download and install the agent from the access switch. However, I got error status-2 when trying to download the agent. The intial ACL was as follows
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host "ISE_IP" eq 8905
deny udp any host "ISE_IP" eq 8906
deny tcp any host "ISE_IP" eq 8443
deny tcp any host "ISE_IP" eq 8905
permit ip any any
Then I modified to be like this
ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny ip any host "ISE_IP"
permit ip any any
The second access list did work for me, but not all the time. !! so which access list should I apply
Thanks

This issue applies to user sessions during the client provisioning phase of authentication. The Possible Causes The client provisioning resource policy could be missing required settings.
Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent(s) defined in the policy.(Also ensure whether or not there is any agent profile configured under Policy >Policy Elements > Results > Client Provisioning > Resources > Add > ISEPosture Agent Profile, even a profile with all default values.)• Try reauthenticating the client machine by bouncing the port on the accessswitch

ISE v1.1 ACL merging?

Similar Messages

Maybe you are looking for