N-series configuration for 802.

1x and Dynamic ACL use case with

Cisco ISE integration
The document provides an example of N-series and Cisco ISE configuration for 802.1x and Dynamic ACL
scenario.

Tested with OS 6.6.0.13 and Cisco ISE 2.6.0.156.

Configuration of N-series switch

authentication enable  required for 802.1x

dot1x system-auth-control  required for 802.1x

aaa authentication dot1x default radius  RADIUS server authentication for

802.1x

aaa authorization network default radius  RADIUS server authorization for

802.1x

radius server source-ip 10.6.2.12  management IP address of a switch, should

match IP address of NAS on Cisco ISE

radius server key 7 "cd36…c90"  key used for security check with Cisco ISE,
should match the key on Cisco ISE

radius server auth 172.19.36.74  IP address of Cisco ISE

radius server vsa send authentication  required for Dynamic ACL

interface Gi1/0/1

description "Pre-Authorized Uplink port "

authentication port-control force-authorized  for pre-authorized port, which

does not need authentication, e.g. for uplinks to core switches or for server
connections. If the port is in the force-authorized mode, the port state is
Authorized and the port sends and receives normal traffic without client
port-based authentication.

interface Gi1/0/3

description "PC_802.1x"  by default all ports are configured for multi-

domain-multi-host authentication mode for 802.1x. Multi-Domain-Multi-Host
mode supports authentication of a multiple data hosts and multiple voice
hosts. Each host that successfully authenticates is allowed network access.
Once the host limit is reached, additional host authentications are rejected.

By default all ports are configured in ‘Auto’ 802.1X port authentication

mode. This mode controls the behavior of the port. It will not authorize the
port (thus user traffic is blocked on a port) until 802.1x user is
authenticated. 802.1X auto mode may be configured on ports in general or
access mode. 802.1X is not supported on trunk mode ports.

Dell Customer Communication - Confidential

 Configuring authorization profile in Cisco ISE for Dynamic ACL
Cisco DACL means Downloadable ACL which is not supported in OS6.6 for N-series.

Dell DACL means Dynamic ACL which in turn Cisco calls as Per-user ACL.

Configuring Authorization profile with Dynamic ACL:

ip:inacl#1=permit ip any host 10.29.30.1

ip:inacl#2=permit ip any host 10.29.30.2

Dell Customer Communication - Confidential

 Changing Authorization profile to the profile above in Authorization Policy rule:

Testing user authentication

First step in a customer test case is to authenticate a PC and apply a Dynamic ACL providing access only
to specific hosts:
Dell#show authentication clients Gi1/0/3

Interface...................................... Gi1/0/3

Mac Address.................................... 00:0E:C6:F4:AA:56

User Name...................................... test_PC

VLAN Assigned Reason........................... RADIUS Assigned VLAN (4)

Host Mode...................................... multi-domain-multi-host

Method......................................... 802.1X

Control Mode................................... auto

Session time................................... 35

Session timeout ............................... 0

Session Termination Action..................... Default

Filter ID......................................

RADIUS Framed IPv4/IPv6 address................

DACL........................................... IP-DACL-IN-00000001  Dynamic

ACL has been created and applied for a PC

Redirect ACL...................................

Redirect URL...................................

Dell Customer Communication - Confidential

 Acct SessionId................................. test_PC:300000001

Dell#show ip access-lists IP-DACL-IN-00000001  See rules in a Dynamic ACL

IP ACL Name: IP-DACL-IN-00000001#d

Inbound Interface(s):

Gi1/0/3

Rule Number: 1

Action......................................... permit

Match All...................................... FALSE

Protocol....................................... 255(ip)

Source IP Address.............................. any

Destination IP Address......................... 10.29.30.1

Destination IP Mask............................ 0.0.0.0

ACL Hit Count.................................. 144

Rule Number: 2

Action......................................... permit

Match All...................................... FALSE

Protocol....................................... 255(ip)

Source IP Address.............................. any

Destination IP Address......................... 10.29.30.2

Destination IP Mask............................ 0.0.0.0

ACL Hit Count.................................. 63

Second step in a customer test case is to authenticate a user which just logged in on a PC and got the full
access to a network:

Dell#show authentication clients Gi1/0/3

Interface...................................... Gi1/0/3

Mac Address.................................... 00:0E:C6:F4:AA:56

User Name...................................... test_user

VLAN Assigned Reason........................... RADIUS Assigned VLAN (4)

Dell Customer Communication - Confidential

 Host Mode...................................... multi-domain-multi-host

Method......................................... 802.1X

Control Mode................................... auto

Session time................................... 96

Session timeout ............................... 0

Session Termination Action..................... Default

Filter ID......................................

RADIUS Framed IPv4/IPv6 address................

DACL...........................................  Dynamic ACL has not been

applied to a logged in user

Redirect ACL...................................

Redirect URL...................................

Acct SessionId................................. test_PC:300000001

Dell#show ip access-lists

No ACLs are configured  Dynamic ACL has been removed from a switch

Application A. Description of Dynamic ACL Definition on RADIUS server from N-series

User Guide
N-series Dynamic ACL restrictions in OS6.6:

• Only ingress ACLs are supported

• Dynamic ACLs may not exceed the size of a single RADIUS Access-Accept packet
• There is no support for multiple packet ACLs. (Max dynamic ACL is 4000 ASCII characters).
• There is no support for Downloadable ACLs where the NAS sends a second Access-Request to
the RADIUS server to retrieve an ACL

This method uses ACL syntax on a RADIUS server to create a new ingress ACL on the switch:
ip:inacl[#number]={extended-access-control-list}
ipv6:inacl[#number]={ extended-access-control-list}

• The ip token indicates an IPv4 ACL definition follows the equals sign.

• The ipv6 token indicates an IPv6 ACL definition follows the equals sign.

• #number is the ACL sequence number in decimal format. Range 1–2147483647.

• The tokens ip:inacl and ipv6:inacl are in lower case and are followed by an equals sign with no
intervening white space.

Dell Customer Communication - Confidential

 • extended-access-control-list means an extended IPv4/IPv6 Extended ACL CLI rule definition beginning
with the {permit|deny} tokens followed by the protocol {every | eigrp | gre | icmp | igmp | ip | ipinip |
ospf | pim | tcp | udp | 0-55} for IPv4 and { every icmpv6| ipv6 | sctp | tcp | udp} for IPv6.

Dynamic ACL Example (Extended syntax, that is, ip access-list extended ...)
ip:inacl#100=permit ip any 209.165.0.0 0.0.255.255
ip:inacl#110=permit ip any 209.166.0.0 0.0.255.255
ip:inacl#120=permit ip any 209.167.0.0 0.0.255.255

Multiple ip:inacl /ipv6:inacl av-pairs may be present in the RADIUS message. However, only the first
definition will be applied for the authentication session. Different sessions, as in the case of the data and
voice VLAN authenticating independently, may both have Dynamic ACLs. It is recommended that the
DACLs be carefully designed so that they work in harmony, such as, at a minimum, no ACL numbers are
duplicated across the DACLs. DACLs are applied at the port level and are capable of affecting any traffic
ingressing the port. If there are syntax errors in the received ACLs (other than duplicate rules), the ACL
rules are not applied, the RADIUS Access-Accept is treated as an Access-Reject, and a WARN log
message or "Interface X/X/X not authorized. Application of downloaded ACL
did not complete due to invalid syntax XXXXX" is issued indicating that a received
RADIUS rule is misconfigured with invalid syntax or configured with both ip:traffic-class and inacl rules
and identifying the affected interface. If Accounting is enabled, the Acct-Start packet is not sent. An EAP-
Failure is sent to the 802.1X client.

Application B. Example of Cisco ISE configuration for Per-user ACLs

https://srftw.wordpress.com/2017/02/05/delivering-acls-for-mabdot1x-authentication/

Dell Customer Communication - Confidential