ā07-11-2013 07:49 AM - edited ā03-10-2019 08:38 PM
For some user create dACL
only_default_router
permit icmp any host 192.168.100.1
permit tcp any host 192.168.100.1
deny ip any any
After user log in windows i found logs on switch
001867: *Mar 16 22:03:58.196: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c
001868: *Mar 16 22:03:58.204: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit icmp any host 192.168.100.1
001869: *Mar 16 22:03:58.221: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c
001870: *Mar 16 22:03:58.229: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit tcp any host 192.168.100.1
001871: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended xACSACLx-IP-only_default_router-51ded09c
001872: *Mar 16 22:03:58.254: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:deny ip any any
001873: *Mar 16 22:03:58.405: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000c.29d6.02a6) on Interface Gi1/0/2 AuditSessionID C0A8641E00000034511FC4B0
001874: *Mar 16 22:03:58.422: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
001875: *Mar 16 22:03:59.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up
But on interface apply Auth-Default-ACL and what is why all traffic block.
And on interface I found
ISE-SWITCH#show ip interface gigabitEthernet 1/0/2
GigabitEthernet1/0/2 is up, line protocol is up
Inbound access list is Auth-Default-ACL
Why my dACL not apply?
ā07-12-2013 10:47 PM
Take a loom at the show authentication session interface gig xxx, that will show you the acl applied after the authentication.
Sent from Cisco Technical Support Android App
ā07-14-2013 10:20 PM
Hello,
can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists
ā08-05-2013 08:12 PM
Hello Alexey,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
I had the same problem and it turned out that I had to upgrade the switch, because the IOS version I used wasn't fully supported. The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide