Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dACL dont apply

For some user create dACL

only_default_router

permit icmp any host 192.168.100.1

permit tcp any host 192.168.100.1

deny ip any any

After user log in windows i found logs on switch

001867: *Mar 16 22:03:58.196: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001868: *Mar 16 22:03:58.204: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit icmp any host 192.168.100.1

001869: *Mar 16 22:03:58.221: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001870: *Mar 16 22:03:58.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit tcp any host 192.168.100.1

001871: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c

001872: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny ip any any

001873: *Mar 16 22:03:58.405: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000c.29d6.02a6) on Interface Gi1/0/2 AuditSessionID C0A8641E00000034511FC4B0

001874: *Mar 16 22:03:58.422: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up

001875: *Mar 16 22:03:59.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up

But on interface apply Auth-Default-ACL and what is why all traffic block.

And on interface I found

ISE-SWITCH#show ip interface gigabitEthernet 1/0/2

GigabitEthernet1/0/2 is up, line protocol is up

  Inbound  access list is Auth-Default-ACL

Why my dACL not apply?




3 REPLIES

Re:dACL dont apply

Take a loom at the show authentication session interface gig xxx, that will show you the acl applied after the authentication.


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
New Member

Re:dACL dont apply

Hello,

can you post the output of the following commands after authorization:

show authentication session interface

sh ip access-lists interface

show running-config interface

show access-list

sh ip access-lists

Cisco Employee

Re:dACL dont apply

Hello Alexey,

check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

I  had the same problem and it turned out that I had to upgrade the  switch, because the IOS version I used wasn't fully supported. The  minimum IOS version to use with ISE should be 12.2(55), but generally  it's better to use 15.x.

Also,  check if you have configured everything that is recommended for switch  devices in TrustSec (page 59), including "ip device tracking".

There's also a very nice document for troubleshooting:

"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

295
Views
0
Helpful
3
Replies
CreatePlease to create content