Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to download DACL at the point 3850 dot1x wireless authentication

hi all

 

i'm during the test dot1x wireless authentication in cisco 3850 switch. and now i was successfully finished dot1x port-base authentication.

but when i have test dot1x wireless authentication , the problem is occur.

there is something that i can use SSID and login but Shortly after being automatically logged out also i can't download acl with error message.

please see bleow :

 

Mar 31 08:44:19.389: *%APF-4-ADD_TO_BLACKLIST_REASON: 1 wcm:  Client c8f7.337c.dd46 (AuditSessionID: 0a010afd53392ae3000000a9) was added to exclusion list. Reason: Client EPM policy plumb failure   

 

and i upload my 3850 configuration.  

please note that: 

 

management vlan 1

ap vlan 10

guest vlan 221

employee vlan 201

 

 

3850-1#show run
Building configuration...

Current configuration : 10143 bytes
!
! Last configuration change at 08:36:35 UTC Mon Mar 31 2014 by admin
! NVRAM config last updated at 08:33:28 UTC Mon Mar 31 2014 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 3850-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !        
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$aNn8$nIGL7M5TVFxc4Iw66yS.E0
enable password lab-cert
!
username admin privilege 15 password 0 lab-cert
user-name POD1
 creation-time 1396062152
 privilege 15
 password 0 Uabootcamp1
 type mgmt-user
aaa new-model
!
!
aaa group server radius rsg
 server name ise
!
aaa group server radius RAD-GRP
!
aaa authentication dot1x AutoGen_AuthNPolicy_Dot1X group rsg
aaa authorization network cisco-auth group rsg 
aaa accounting dot1x AutoGen_AuthNPolicy_Dot1X start-stop group rsg
!
!
!
!
!
aaa server radius dynamic-author
 client 10.1.1.20 server-key Uabootcamp1
 auth-type any
!
aaa session-id common
switch 1 provision ws-c3850-24p
!
ip domain-name cisco.local
ip device tracking
!
ip dhcp pool DHCP
 network 10.1.10.0 255.255.255.0
 default-router 10.1.10.253 
 option 60 ascii "Cisco AP c3500"
 option 43 ascii "10.1.10.253"
!
!
!         
crypto pki trustpoint TP-self-signed-1969544188
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1969544188
 revocation-check none
 rsakeypair TP-self-signed-1969544188
!
!
crypto pki certificate chain TP-self-signed-1969544188
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31393639 35343431 3838301E 170D3134 30333331 30363330 
  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363935 
  34343138 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81008B72 69F48122 C0370C23 78791949 A3434873 C5B18B81 B9BAE357 1D34099E 
  F6719835 50D4BD24 3FED2392 590345CF 3CFF717C 92190F57 2076B1F2 8BC09B0F 
  25EFBE60 58914662 05ED586A 56B64688 E7342ED8 6D57EC7C 411CC082 3369B978 
  F78EE050 5683239E BE2A21DA 9AEABCA7 F996405E 64B46EE7 3EDFF46E B4C669A6 
  E0730203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 
  551D1104 0A300882 06333835 302D3130 1F060355 1D230418 30168014 B5523530 
  0EB1A6DC 8C2AB6F8 90122FFC FC2D407C 301D0603 551D0E04 160414B5 5235300E 
  B1A6DC8C 2AB6F890 122FFCFC 2D407C30 0D06092A 864886F7 0D010104 05000381 
  8100654B D884B51F 87D05515 61B7E846 A0B0A717 349A42D4 B9C239A8 1480AED4 
  756B7D9A 45CF600E F1A59D31 98BA30E4 5B428145 C10C3FCD 3B327A7C C5AE4520 
  EA11F605 27E80847 9178BA5C F1650680 A98235AC D3635C3E 6035FB70 E9EF0CB1 
  6DC2A5F3 A03379FD 2445401F F350B852 208D90E8 DDAAB400 344C1F58 F09B29EC A5B8
        quit
dot1x system-auth-control
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
  match non-client-nrt 
!         
policy-map port_child_policy
 class non-client-nrt-class
    bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 2.2.2.2 255.255.255.0
 shutdown
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport mode trunk
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!         
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/20
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan10
 ip address 10.1.10.253 255.255.255.0
!
interface Vlan201
 ip address 10.1.201.1 255.255.255.0
 ip helper-address 10.1.1.20
!
interface Vlan221
 ip address 10.1.221.1 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list standard etes
 permit any
!
ip access-list extended acl_webauth_redirect
 permit ip any any
ip access-list extended hta-doctor
 permit ip any any
ip access-list extended hta_nurse
 permit ip any any
ip access-list extended permit_all_traffic
 permit ip any any
ip access-list extended rr
 permit ip any any
!
!
snmp-server community primepublic RO
snmp-server community primeprivate RW
snmp-server location default
snmp-server contact default
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps rf
snmp-server enable traps memory
snmp-server enable traps cpu threshold
snmp-server enable traps wireless bsnMobileStation bsnAccessPoint bsnRogue bsn80211Security bsnAutoRF bsnGeneral client mobility RRM mfp AP rogue
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps flash insertion removal
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps license
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps port-security
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict
snmp-server enable traps trustsec-server radius-server provision-secret
snmp-server enable traps trustsec authz-file-error cache-file-error keystore-file-error keystore-sync-fail random-number-fail src-entropy-fail
snmp-server enable traps trustsec-interface unauthorized sap-fail authc-fail supplicant-fail authz-fail
snmp-server enable traps trustsec-policy peer-policy-updated authz-sgacl-fail
snmp-server enable traps bgp
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps local-auth
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps ipsla
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.1.1.102 primeprivate 
snmp-server host 10.1.1.102 primepublic 
!
!
radius server ise
 address ipv4 10.1.1.20 auth-port 1812 acct-port 1813
 key Uabootcamp1
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password lab-cert
line vty 5 15
 password lab-cert
!
ntp server 10.1.1.241
wsma agent exec
 profile httplistener
 profile httpslistener
wsma agent config
 profile httplistener
 profile httpslistener
wsma agent filesys
 profile httplistener
 profile httpslistener
wsma agent notify
 profile httplistener
 profile httpslistener
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
wireless mobility controller
wireless management interface Vlan10
wireless rf-network rfdemo
wlan UA-bootcamp 1 UA-bootcamp
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown
wlan UA-Guest 10 UA-Guest
 aaa-override
 accounting-list AutoGen_AuthNPolicy_Dot1X
 client vlan hta-guest1-WLan
 ip dhcp server 10.1.221.253
 nac
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security dot1x authentication-list AutoGen_AuthNPolicy_Dot1X
 session-timeout 1800
 no shutdown
wlan UA-employee 11 UA-employee
 aaa-override
 accounting-list AutoGen_AuthNPolicy_Dot1X
 client vlan hta-employee1-Wlan
 ip dhcp server 10.1.201.253
 nac
 security dot1x authentication-list AutoGen_AuthNPolicy_Dot1X
 session-timeout 1800
 no shutdown
ap country KE
ap group default-group
end

Everyone's tags (4)
1 REPLY
New Member

Hello,for the blacklist issue

Hello,

for the blacklist issue (being signed off shortly after logging in), the solution is to disable Client exclusion (using no exclusionlist command);

for the DACL, Airespace ACL Name attribute shall be used to restrict the traffic.

BR,

k

839
Views
0
Helpful
1
Replies
CreatePlease to create content