1. Switch port is configured at Low Impact mode, interface ACL PRE-AUTH is configured
Extended IP access list PRE-AUTH
10 permit udp any any eq ntp
20 permit udp any eq bootpc any eq bootps (71 matches)
30 permit udp any any eq domain
40 permit icmp any any
50 permit udp any any eq tftp
60 deny ip any any
interface FastEthernet1/0/3
description Desktop
switchport access vlan 7
switchport mode access
switchport voice vlan 9
ip access-group PRE-AUTH in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
spanning-tree portfast
end
2. ISE is configured dACL EMPLOYEE_ACL
remark Denies access to MGMT subnet
deny ip any 192.168.2.0 0.0.0.255
remark Permit Internet and Corporate Access
permit ip any any
3. When an user successfully authenticated with 802.1x, dACL is downloaded to the switch.
SW2-P#sh authentication sessions interface f1/0/3
Interface: FastEthernet1/0/3
MAC Address: 4016.7e27.3772
IP Address: 192.168.7.100
User-Name: NSW\employee1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-EMPLOYEE_ACL-5e56e2aa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A802060000000C00D91B9B
Acct Session ID: 0x00000020
Handle: 0x3B00000C
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
4. Important: the following command must be configured on the switch
ip device tracking
if missing this command, "show ip access-list int f1/0/3" has no output. dACL will not apply although it is downloaded.
with this command, note host IP is inserted.
SW2-P#sh ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
192.168.7.100 4016.7e27.3772 7 FastEthernet1/0/3 ACTIVE
Total number interfaces enabled: 1
Enabled interfaces:
Fa1/0/3
SW2-P#sh ip access-list int f1/0/3
deny ip host 192.168.7.100 192.168.2.0 0.0.0.255
permit ip host 192.168.7.100 any
SW2-P#
Extended IP access list PRE-AUTH
10 permit udp any any eq ntp
20 permit udp any eq bootpc any eq bootps (71 matches)
30 permit udp any any eq domain
40 permit icmp any any
50 permit udp any any eq tftp
60 deny ip any any
description Desktop
switchport access vlan 7
switchport mode access
switchport voice vlan 9
ip access-group PRE-AUTH in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
spanning-tree portfast
end
remark Denies access to MGMT subnet
deny ip any 192.168.2.0 0.0.0.255
remark Permit Internet and Corporate Access
permit ip any any
3. When an user successfully authenticated with 802.1x, dACL is downloaded to the switch.
SW2-P#sh authentication sessions interface f1/0/3
Interface: FastEthernet1/0/3
MAC Address: 4016.7e27.3772
IP Address: 192.168.7.100
User-Name: NSW\employee1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-EMPLOYEE_ACL-5e56e2aa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A802060000000C00D91B9B
Acct Session ID: 0x00000020
Handle: 0x3B00000C
Runnable methods list:
Method State
mab Failed over
dot1x Authc Success
4. Important: the following command must be configured on the switch
ip device tracking
if missing this command, "show ip access-list int f1/0/3" has no output. dACL will not apply although it is downloaded.
with this command, note host IP is inserted.
SW2-P#sh ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
192.168.7.100 4016.7e27.3772 7 FastEthernet1/0/3 ACTIVE
Total number interfaces enabled: 1
Enabled interfaces:
Fa1/0/3
SW2-P#sh ip access-list int f1/0/3
deny ip host 192.168.7.100 192.168.2.0 0.0.0.255
permit ip host 192.168.7.100 any
SW2-P#
5. When both dACl and pACL applied, dCAL is on the top of pACL, but "show ip access-lsit interface" doesn't display pACL
Comments
Post a Comment