Hi Did you enable Device Tracking? It says that the IP address of the device is unknown and it did not change the source from "any" to an IP in the downloaded ACL.
The Default ACL is a feature available in the newer versions of code to allow you apply a downloaded ACL on ports not configured with any inbound ACL. In the older code versions you were supposed to apply a Pre-Authentication ACL even if it was permitting all IP to get the dACL feature work. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com On Tue, Oct 1, 2013 at 10:51 PM, Mike Rojas <[email protected]> wrote: > Hello, > > I am encountering an issue with the authorization Policies on ISE. When I > configured the Policy, the Switch Downloads it and the dACL is applied, > however no traffic is going through: > > CCIETest#show authentication sessions int fa 0/3 > Interface: FastEthernet0/3 > MAC Address: 0008.7433.b571 > IP Address: Unknown > User-Name: user1 > Status: Authz Success > Domain: DATA > Security Policy: Should Secure > Security Status: Unsecure > Oper host mode: single-host > Oper control dir: both > Authorized By: Authentication Server > Vlan Group: N/A > ACS ACL: xACSACLx-IP-DOMAIN_COMP_dACL-524ad65a > Session timeout: 3600s (local), Remaining: 3152s > Timeout action: Reauthenticate > Idle timeout: N/A > Common Session ID: 0AC61C04000000020002A3E7 > Acct Session ID: 0x00000004 > Handle: 0x6B000002 > > Runnable methods list: > Method State > dot1x Authc Success > > ACL: > Extended IP access list Auth-Default-ACL > 10 permit udp any range bootps 65347 any range bootpc 65348 (18 > matches) > 20 permit udp any any range bootps 65347 > 30 deny ip any any (4 matches) > Extended IP access list xACSACLx-IP-DOMAIN_COMP_dACL-524ad65a (per-user) > 10 permit udp any eq bootpc any eq bootps > 20 permit udp any any eq domain > 30 permit icmp any any > 40 permit ip any host 10.1.1.101 > > > Something that I didn't understand is where the Default Authentication ACL > comes from, I was not able to see it on the ISE, I dont know/Think it > interferes with this traffic, but as soon as I remove authentication port > control, traffic flows with no issues. > > On the ISE authentication summary, I can see the Authorization profile > went fine and the Policy was downloaded correctly. > > Any help would be appreciated. > > Mike Rojas > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
