Lab Minutes Forum

Technical Discussion => Security => Topic started by: Administrator on May 19, 2014, 10:06:10 PM

Title: HELP FOR DACL on behalf of foladi
Post by: Administrator on May 19, 2014, 10:06:10 PM
hi i using your videos about .1x and acs . its preffect for me but i have
question about downloadable acl i have doamin and acs act as radius server
. my client login to domain with the username and passwordds and check with
dot1x and i use open authentication just like your video (mab part 1)
domain and dhcp traffic can be exchange but my question :when client login
and check the dot1x no problem but dacl not work for (permit ip any any )
who should i solve this problem best regards thank you
Title: Re: HELP FOR DACL on behalf of foladi
Post by: MC on May 19, 2014, 10:09:38 PM
Please check the log on ISE and RADIUS debug to make sure the DACL was sent out to the switch. If it is,
1. Check if you have 'aaa authorization network' enabled
2. Check if you have CoA enable on the switch (ie. 'aaa server radius dynamic-author')
Title: Re: HELP FOR DACL on behalf of foladi
Post by: foladi on May 19, 2014, 11:54:51 PM
Hi thanks for comment .
we dont have ise on scenario and the dacl was sent from radius to switch (i see on monitoring section)but not applied on client .
i apply your command and get back
Title: Re: HELP FOR DACL on behalf of foladi
Post by: MC on May 21, 2014, 07:47:04 AM
My bad.. I meant ACS but the idea is the same
Title: Re: HELP FOR DACL on behalf of foladi
Post by: foladi on May 28, 2014, 12:18:55 AM
hi
i check your command and problem not solved
is that the ios of sw3750 is important .
my ios is sw3750 ipbase-mz.12.2.50.se5
i upgrate to another ios and agin not work .
what is your suggestion?
thanks
Title: Re: HELP FOR DACL on behalf of foladi
Post by: MC on May 28, 2014, 11:16:26 PM
The IOS should be at least 12.2.55 I believe. So when you run debug radius on the switch, do you see the ACL being received from ACS?
SimplePortal 2.3.7 © 2008-2024, SimplePortal