Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CWA on ISE and switches

I was able to configure the CWA on the switch and Cisco ISE. It is working as expected. I followed the guide on the link bellow.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.

interface GigabitEthernet1/0/12
description ISE1 - dot1x clients - UCS Eth0
switchport access vlan 100
switchport mode access
ip access-group webauth in
authentication order mab
authentication priority mab
authentication port-control auto
mab
spanning-tree portfast
end

ip access-list extended webauth
permit ip any any
5 REPLIES
New Member

CWA on ISE and switches

Hi,

If I remember well, older IOS versions do not apply a dACL on port if there is none already configured (locally).

New Member

CWA on ISE and switches

Thank you for the answer.

It must be this because I tested this solution with and without access-list on the port and the result was always the same.

BR

Cisco Employee

CWA on ISE and switches

Hi Uros

ACL is used to determine which traffic should be bridged by default from unauthenticated

endpoints onto the access VLAN. Since you should allow all access first and enforce policy later, you

should apply ACL-ALLOW to permit all traffic through the switch port. You have already created a

default ISE authorization to allow all traffic for now since we want complete visibility and not impact

the existing end user experience yet.

! An ACL must be configured to prepend dACLs from AAA server.

ip access-group ACL-ALLOW in

Note:

"Prior to software versions 12.2(55)SE on DSBU switches, a port ACL is required for dynamic ACLs

from a RADIUS AAA server to be applied. Failure to have a default ACL will result in assigned dACLs

being ignored by the switch. With 12.2(55)SE a default ACL will be automatically generated and

applied".

Bronze

CWA on ISE and switches

Why ACL must be configured on the port on the switch

Question:

I only have one question. I try to understand why ACL must be configured on the port on the switch. Guide uses ACL with name webauth which permit all traffic. If port is authorized it receives dACL from ISE, otherwise port is in unauthorize state and denies all traffic.

What is Web Authentication?

Web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch wills failover to the webauth profile and will redirect client traffic to a web page on the switch.

Role of ACL:

The redirectACL sent back with the central webauth profile determines which traffic (HTT or HTTPS) is redirected to the ISE. The downloadable ACL allows you to define what traffic is allowed. You should typically allow for DNS, HTTP(S), and 8443 and deny the rest. Otherwise, the switch redirects HTTP traffic but allows other protocols.

Port ACLs

Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction. These access lists are supported:

•Standard IP access lists using source addresses

•Extended IP access lists using source and destination addresses and optional protocol type information

•MAC extended access lists using source and destination MAC addresses and optional protocol type information

The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.  Figure is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.

Figure 31-1 Using ACLs to Control Traffic to a Network

When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

For More information, please check

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swacl.html#wp1715468

Cisco Employee

CWA on ISE and switches

Rated Munir and Aqeel answer. You must go through.

367
Views
25
Helpful
5
Replies