Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
0
Replies

simple authentication scenario on ISE

ciscoworlds
Level 4
Level 4

‎10-20-2016 12:40 AM - edited ‎03-11-2019 12:10 AM

Hi;

I'm going to explain my simple topology in which I have a 3560 switch port g0/8 is connected to the phone and phone is connected to a PC. other ports on the switch are members of default vlan 1, that is our data vlan. ISE (10.1.150.152) and CUCM (10.1.150.150) are inside vlan 1 too and I changed their default gateway to points to this switch with IP of 10.1.1.154/16.

I created a separate vlan for the voice vlan (vlan 500) and then added a vlan500 interface with the IP of 192.168.250.2/24 on the switch and finally configured it to be default gateway for both vlan 1 and vlan 500. also I turned IP routing on the switch on and enabled DHCP server service on the switch and configured a pool as you'll see below. the reachability is OK and the ping with the vlan500 as source interface toward the ISE and CUCM completed successfuly. 

the RADIUS livelog page on the ISE shows both authentication and dACL download was successful. 

 

Policy Server: cisco-ise

Event 5200 Authentication succeeded

Username: 38:ED:18:55:78:7C

User Type: Host

Endpoint Id: 38:ED:18:55:78:7C

Calling Station Id: 38-ED-18-55-78-7C

Endpoint Profile: Cisco-Device

Authentication Identity Store: Internal Endpoints

Identity Group: Profiled

Audit Session Id: 000000000000000E00F073B6

Authentication Method: mab

Authentication Protocol: Lookup

Service Type: Call Check

Network Device: Cisco-3560

NAS IPv4 Address: 10.1.1.154

NAS Port Id:  GigabitEthernet0/8

NAS Port Type: Ethernet

Authorization Profile: TIMAZ_AUTHO-PROFILE1

 

epm logging revealed the following output:

 

 %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

 %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD_REQUEST

 %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

 %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD-SUCCESS

 %EPM-6-IPEVENT: IP 0.0.0.0 MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT IP-WAIT

 

the result is phone couldn't get the IP address from the DHCP pool on the switch and cannot register to the CUCM. I got empty output after issuing the "sh ip dhcp binding" and "sh ip device tracking all" commands on the switch. here is my consolidated config on the switch in the case if you think it is necessary to take a look at. 

 

aaa new-model

aaa group server radius RADIUS_GROUP

 server-private 10.1.150.152 key cisco

!

aaa authentication login default group RADIUS_GROUP local

aaa authentication login CONSOLE_AUTHEN local

aaa authentication dot1x default group RADIUS_GROUP

aaa authorization network default group RADIUS_GROUP 

!

aaa server radius dynamic-author

 client 10.1.150.152 server-key cisco

!

ip routing

ip dhcp database ftp://10.1.3.221/DHCPDB

ip dhcp excluded-address 192.168.250.1 192.168.250.220

!

ip dhcp pool TEST_PoOL

 network 192.168.250.0 255.255.255.0

 option 150 ip 10.1.150.150 

 dns-server 10.1.1.30 

 default-router 192.168.250.2 

 lease 0 5

!

epm logging

!

interface GigabitEthernet0/8

 switchport mode access

 switchport voice vlan 500

 authentication host-mode multi-domain

 authentication port-control auto

 mab

 dot1x pae authenticator

 spanning-tree portfast

!

interface Vlan1

 ip address 10.1.1.154 255.255.0.0

!         

interface Vlan500

 ip address 192.168.250.2 255.255.255.0

 ip helper-address 10.1.150.150

!

ip default-gateway 10.1.1.1

 

even "sh ip access-list" command on the switch shows that "deny ip any any" dACL has been downloaded onto the switch: 

 

Switch(config)#do sh ip access

Extended IP access list CISCO-CWA-URL-REDIRECT-ACL

    100 deny udp any any eq domain

    101 deny tcp any any eq domain

    102 deny udp any eq bootps any

    103 deny udp any any eq bootpc

    104 deny udp any eq bootpc any

    105 permit tcp any any eq www

Extended IP access list preauth_ipv4_acl (per-user)

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 deny ip any any

Extended IP access list xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32 (per-user)

    1 deny ip any any

any idea? does the dACL with "deny ip any any" downloaded into the switch automatically prevents the IP address assignments to the phone and prevents voice vlan assignments too?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents