dACL does not get downloaded to Cisco Switch from ISE

Imran Ahmad · ‎10-13-2013

Hello,

I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin

I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply

Any instruction plz?

Jatin Katyal · ‎10-13-2013

So you're saying that it's not even downloaded to switch.

Please make sure that the DACL are correctly configured in the ISE, please refer to the configuration guide, just to be sure

Downloadable ACLs

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1219887

Next, get the folllowing debugs from the switch:

debug radius

debug dot1x all

Please send the detailed logs of an authentication instance that should have downloaded the DACL, by going through

Operations>Reports>Catalog>AAA protocol>Radius Authentication(by clicking the magnifying glass details for a particular log can be shown)

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Imran Ahmad · ‎10-13-2013

Hi Jatin,

ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.

following is the debug output>>

06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250

06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name           [1]   6   "test"
06:36:43: RADIUS: Service-Type        [6]   6   Framed                    [2]
06:36:43: RADIUS: Framed-MTU          [12] 6   1500
06:36:43: RADIUS: Called-Station-Id   [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message         [79] 8
06:36:43: RADIUS:   02 7A 00 06 0D 00                 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS:   A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0                [ Z6]
06:36:43: RADIUS: Vendor, Cisco       [26] 49
06:36:43: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
06:36:43: RADIUS: NAS-Port            [5]   6   50011
06:36:43: RADIUS: NAS-Port-Id         [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State               [24] 80
06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address      [4]   6   192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State               [24] 80
06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
06:36:43: RADIUS: EAP-Message         [79] 255

06:36:43: RADIUS:   4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS:   02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS:   81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS:   30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS:   6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS:   72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS:   64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS:   5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS:   65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS:   72 75 73 74 65 64 43 41 2E         [ rustedCA.]
06:36:43: RADIUS: EAP-Message         [79] 251
06:36:43: RADIUS:   63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS:   74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS:   EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS:   D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS:   82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4     [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS:   DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33            [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44:     dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){                                                                                                                              2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At   )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.

06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS:   F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5           [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco       [26] 49
06:36:44: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
06:36:44: RADIUS: NAS-Port            [5]   6   50011
06:36:44: RADIUS: NAS-Port-Id         [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State               [24] 80
06:36:44: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6

06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE

Imran Ahmad · ‎10-13-2013

and i dont get any report on the ISE >Operations>Reports>Catalog>AAA protocol>Radius Authentication. authentication gets suceed and also vlan assignment is properly applied. but dACL is not downloaded

Patrick Meyer · ‎03-25-2014

Hi, I am having a similiar issue with a 5760 Next-Gen WLC. I have configured a dACL with permit ip any any log and want to push that to the WLC. From the documentations I read so far I assumed that dACLs are supposed to work with the new IOS-XE WLCs but when looking into the traces I set up I get the following:

[03/25/14 13:57:59.429 UTC 13cfd 212] ACCESS-FEATURE-ACL-ERR: dACL xACSACLx-IP-Client_IT_dACL-52b40fe6 download failed
[03/25/14 13:57:59.547 UTC 13cfe 181] ACCESS-CORE-CAAA-ERR: Notify invalid mb handle
[03/25/14 13:57:59.824 UTC 13cff 22] ACCESS-CORE-CAAA-ERR: Remove session - invalid handle 0x5E000C30
[03/25/14 13:57:59.824 UTC 13d00 22] ACCESS-CORE-CAAA-ERR: Unable to remove wireless session
[03/25/14 13:57:59.824 UTC 13d01 22] ACCESS-CORE-CAAA-ERR: Remove wireless session - invalid handle 0x5E000C30
[03/25/14 13:57:59.824 UTC 13d02 22] ACCESS-CORE-EPM-ERR: Error in Deleting wireless session hdl 0x5E000C30
[03/25/14 13:57:59.824 UTC 13d03 213] ACCESS-CORE-EPM-ERR: NULL feature list for client ctx 930EAE44
[03/25/14 13:57:59.826 UTC 13d04 195] ACCESS-CORE-SM-CLIENT-IPDT-ERR: [a082.1f77.4c10, Ca3] No session for MAC a082.1f77.4c10
[03/25/14 13:58:00.023 UTC 13d05 22] ACCESS-CORE-CAAA-ERR: Remove session - invalid handle 0x65000C24
[03/25/14 13:58:00.023 UTC 13d06 22] ACCESS-CORE-CAAA-ERR: Unable to remove wireless session
[03/25/14 13:58:00.023 UTC 13d07 22] ACCESS-CORE-CAAA-ERR: Remove wireless session - invalid handle 0x65000C24
[03/25/14 13:58:00.023 UTC 13d08 22] ACCESS-CORE-EPM-ERR: Error in Deleting wireless session hdl 0x65000C24
[03/25/14 13:58:00.024 UTC 13d09 213] ACCESS-FEATURE-ACL-ERR: ACL not found in the AVL tree
[03/25/14 13:58:00.025 UTC 13d0a 195] ACCESS-CORE-SM-CLIENT-IPDT-ERR: [6c88.145e.7eac, Ca39] No session for MAC 6c88.145e.7eac
[03/25/14 13:58:00.222 UTC 13d0b 210] ACCESS-CORE-EPM-ERR: No Feature has been registered for attribute username
[03/25/14 13:58:00.222 UTC 13d0c 210] ACCESS-CORE-EPM-ERR: No Feature has been registered for attribute state
[03/25/14 13:58:00.222 UTC 13d0d 210] ACCESS-CORE-EPM-ERR: No Feature has been registered for attribute EAP-session-id
[03/25/14 13:58:00.222 UTC 13d0e 210] ACCESS-CORE-EPM-ERR: No Feature has been registered for attribute MS-MPPE-Send-Key
[03/25/14 13:58:00.222 UTC 13d0f 210] ACCESS-CORE-EPM-ERR: No Feature has been registered for attribute MS-MPPE-Recv-Key
[03/25/14 13:58:00.222 UTC 13d10 212] ACCESS-CORE-EPM-ERR: Received AAA Failed reply for acl download

The WLC is running with IOS-XE 3.3.02SE.

Any ideas?

regards,

Patrick Meyer

Jatin Katyal · ‎10-13-2013

Yeah, I don't see ACL getting downloaded to switch? Can you paste the set of DACL you have defined.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Imran Ahmad · ‎10-13-2013

Im trying with the ise default ACL (DENY_ALL_TRAFFIC), i applied that into my authorization profile, but it is not geting downloaded to my switch.

I think my Switch IOS should be changed but im not sure which version of ios will support dACL

Jatin Katyal · ‎10-13-2013

Are we hitting the right authorization profile on ISE? This can be verified under:

ISE >Operations>Reports>Catalog>AAA protocol>Radius. That's what I wanted to see before.

Did this ever work before for you?

Also, in the last set of debugs, I couldn't see radius access-accept packet, it seems we didn't wait enough before we captured it. Could you please run the "debug radius" only and check access-accept packet because even there could be an issue with switch IOS, the ISE should push that in accept packet.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Imran Ahmad · ‎10-13-2013

Yes surely the right authorization profile is hit, i can also see it on the reports. and that is why the right vlan is assigned to the switch port, but only dACL is not applied

magnumknights · ‎12-03-2013

Have you tried updating your IOS on the 3550? I recall having the same sort of problems until I updated the IOS.