Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4028
Views
6
Helpful
4
Replies

Cisco ISE 1.2 Checking DACL Syntax

Go to solution
David Pease
Level 1
Level 1

‎03-06-2014 05:58 AM - edited ‎03-10-2019 09:30 PM

Greetings,

When we first set up all of the DACLs for our ISE deployment, it was explained to us that the "!" was a replacement for the "remark" entry on the access list, but when I utilize the "Check DACL Syntax", ISE tells me that my statements are improper:

"

Line 13 - In "! permit tcp any any eq 80", argument #1 "!" is not valid. Legal option(s):

  permit

  deny

  remark

  no

"

It doesn't appear that my DACLs are giving any errors when is use, so is this just an aesthetic error or do I need to go through and change all fo my DACLs to reflect this?

Thank You for any input!


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-15-2014 05:44 PM

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Saurav Lodh
Level 7
Level 7

‎03-10-2014 12:24 AM

It is an incorrect format for ISE , please refer correct format from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_authz_polprfls.html#wp1231465

Go to solution
David Pease
Level 1
Level 1
In response to Saurav Lodh

‎03-11-2014 06:45 AM

Salodh, 

 

While I appreciate that you took the time to reply to me, your response does not actually address my question, and the link you provided does not discuss the "Remark" command at all.   

 

Please feel free to re-read my question, and provide additional assistance if you are able.

 

 

Thank You.

 

 

 

0 Helpful

Go to solution
Javier Henderson
Level 4
Level 4

‎03-14-2014 08:50 AM

While IOS allows the use of the ! character instead of "remark", ISE does not, and as a result you get the warning message you're seeing.

Javier Henderson

Cisco Systems

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-15-2014 05:44 PM

Hello David,

I guess there are many more keywords and format that "check DACL syntax" doesn't approve but they do work. A customer wanted to use a keyword ESTABLISHED so I created an ACE and clicked save.

"permit tcp any any established"

It gives me a pop-up stating "syntax check of the DACL content has failed, do you want to submit anyway.

I clicked yes and moved ahead. I then check the dacl syntax and it says

Line 1 - In "permit tcp any any established", argument #5 "established" is not valid.

 

Finally, I  tested this on dot1x configured switch and the output of 'show ip access-list interface <interface-id>' shows it in downloaded access-list. Even though the syntax was not approved by the ISE we still manage to download it to the switch.

 

In your case if you are using remarks with dot1x and mab, please keep a watch on this defect

CSCuj35704    Remark in DACL causing dot1x and MAB authorization failure

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents