ISE - Wired dACL and pACL

-
1. Switch  port is configured at Low Impact mode, interface ACL PRE-AUTH is configured
Extended IP access list PRE-AUTH
    10 permit udp any any eq ntp
    20 permit udp any eq bootpc any eq bootps (71 matches)
    30 permit udp any any eq domain
    40 permit icmp any any
    50 permit udp any any eq tftp
    60 deny ip any any

interface FastEthernet1/0/3
 description Desktop
 switchport access vlan 7
 switchport mode access
 switchport voice vlan 9
 ip access-group PRE-AUTH in
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 snmp trap mac-notification change added
 dot1x pae authenticator
 spanning-tree portfast
end

2. ISE is configured dACL EMPLOYEE_ACL
remark Denies access to MGMT subnet
deny ip any 192.168.2.0 0.0.0.255

 remark Permit Internet and Corporate Access
permit ip any any

 3. When an user successfully authenticated with 802.1x, dACL is downloaded to the switch.
SW2-P#sh authentication sessions interface f1/0/3
            Interface:  FastEthernet1/0/3
          MAC Address:  4016.7e27.3772
           IP Address:  192.168.7.100
            User-Name:  NSW\employee1
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
              ACS ACL:  xACSACLx-IP-EMPLOYEE_ACL-5e56e2aa
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A802060000000C00D91B9B
      Acct Session ID:  0x00000020
               Handle:  0x3B00000C

 Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Authc Success

4. Important: the following command must be configured on the switch
ip device tracking 

if missing this command, "show ip access-list int f1/0/3" has no output. dACL will not apply although it is downloaded.

with this command, note host IP is inserted.
SW2-P#sh ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
  IP Address     MAC Address   Vlan  Interface                STATE
-----------------------------------------------------------------------
192.168.7.100   4016.7e27.3772  7    FastEthernet1/0/3        ACTIVE

 Total number interfaces enabled: 1
Enabled interfaces:
  Fa1/0/3
SW2-P#sh ip access-list int f1/0/3
     deny ip host 192.168.7.100 192.168.2.0 0.0.0.255
     permit ip host 192.168.7.100 any
SW2-P#

5. When both dACl and pACL applied, dCAL is on the top of pACL, but "show ip access-lsit interface" doesn't display pACL


Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more