cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13461
Views
10
Helpful
26
Replies

Cisco ISE - CWA Redirect

Gary Higgs
Level 1
Level 1

Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?

All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.

The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).

Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

26 Replies 26

I have always seen it rebuild the ACL as rACL>dACL>pACL while the switchport is in CWA state.

If you say rACL is first hit then what is the use of dACL on switch port

The rACL is what provides the redirect statements in the ACL. Technically, you could put everything in your rACL as deny statements but it doesn't scale well because you have to place it on every switch in your environment whereas if you put it in ISE then it's centrally located/configured. Please test the process out if you have the chance, I promise you this is how it works & why I'm asking this question.

Thanks Gary, I will definitely test this out. It was a great discussion. I really appreciate your way of clarifying things.

Thank you for the responses. Our discussion has brought up two more questions for me that I plan on testing when I get a chance.

1. Why do I even need the pACL if I'm only saying "permit ip any any".

2. Is it possible to place my redirect statements at the beginning of my ISE dACL & eliminating it off the switch config completely. This will allow me to centrally control the ACL via ISE.

Prior to software versions 12.2(55)SE on DSBU switches, a port ACL is required for dynamic ACLs from a RADIUS AAA server to be applied. Failure to have a default ACL will result in assigned dACLs being ignored by the switch. With 12.2(55)SE a default ACL will be automatically generated and applied. An ACL must be configured to prepend dACLs from AAA server.

Hi Gary,

Please find the attached slide from Cisco supporting my above statement that the traffic must first be allowed in dACL or Port ACL (if dACL is not configured as dACL is optional, configured only if you want to restrict access on switch port based user authenticating the network.i.e per-user based) then only it will hit redirect ACL.

Hope that will clear the confusion on which ACL got hit first.

The slide doesn't state which ACL gets hit first but yes I agree that the static pACL is the first ACL to go into effect & I've stated that before. I don't know how else to explain this because part of my frustration is that the documentation all along has been inaccurate/inadequate & it's created a false understanding of what is actually happening at each stage. Again, I promise that when a port first goes live the pACL is used & when the port goes into "redirect/CWA" state a new ACL gets applied that consists of the rACL>dACL>pACL.

Take a windows laptop, disable dot1x on it, log into your switch with another laptop and then plug your first laptop into a switchport & watch the process. The pACL will be used until dot1x fails & when the port transitions to the CWA state a new ACL will be applied to that port & it will consist of the rACL statements, then the dACL statements, & then the original pACL statements.

I accidentally clicked the "correct answer" button when trying to click on the attachment. Not sure how to undo the mistake.

Poonam,

Attached is a word document showing the outputs from my 6500 switch while a switchport is transitioning from dot1x over to mab and in "CWA" state. I had to omit several items (IPs, etc) but I tried to provide some explanation. Please let me know your thoughts.

Gary,

I have not worked on 6500 switches. Also never used this tcam command. I will study about how tcam display interface acl hit and will let you know about my analysis as in some document I saw the first entry is deny ip any any in the output and still a hit in other ace. See the link.


 

Hi Gary and Poonam,

 

i am getting outlook security alert message when my system is trying to Posture assessment. i was going through your conversation and found that we can modified redirect acl to allow other traffics. i have redirect acl on my switch but not the port acl on my switchport. is it necessary to switchport acl on latest software version of switch? 

 

Thanks

Ashish  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: