Hello,
I am encountering an issue with the authorization Policies on ISE. When I
configured the Policy, the Switch Downloads it and the dACL is applied, however
no traffic is going through:
CCIETest#show authentication sessions int fa 0/3
Interface: FastEthernet0/3
MAC Address: 0008.7433.b571
IP Address: Unknown
User-Name: user1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-DOMAIN_COMP_dACL-524ad65a
Session timeout: 3600s (local), Remaining: 3152s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AC61C04000000020002A3E7
Acct Session ID: 0x00000004
Handle: 0x6B000002
Runnable methods list:
Method State
dot1x Authc Success
ACL:
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (18 matches)
20 permit udp any any range bootps 65347
30 deny ip any any (4 matches)
Extended IP access list xACSACLx-IP-DOMAIN_COMP_dACL-524ad65a (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit ip any host 10.1.1.101
Something that I didn't understand is where the Default Authentication ACL
comes from, I was not able to see it on the ISE, I dont know/Think it
interferes with this traffic, but as soon as I remove authentication port
control, traffic flows with no issues.
On the ISE authentication summary, I can see the Authorization profile went
fine and the Policy was downloaded correctly.
Any help would be appreciated.
Mike Rojas
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
