View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass dACL to Cisco EWC 9800

This thread has been viewed 15 times
  • 1.  Clearpass dACL to Cisco EWC 9800

    Posted 6 days ago

    I'm having problems getting downloadable ACLs working properly on my wireless network.   Presently I'm working on getting wireless all done in clearpass and haven't started on wired yet, so this would be my first go at dACLs on the system.   I do have the ability to authenticate the laptop onto the wireless network, send it to the proper vlan, and get it talking.  All of that works fine.   I'm just not having luck getting an enforcement profile to block traffic right for clients that I match to a rule.  We're using Cisco 9100 series APs and the radius connection seems to be fine for everything we're doing thus far.

    I've tried working the ACL forward "deny ip any x.x.x.x" and backwards "deny ip x.x.x.x any", and I've tried using some examples from other aruba that use the NAS-Filter-Rule format, but just not having any luck getting it to actually block anything.   Any ideas?  Here are some screenshots:

    Here's a result I get when viewing in the tracker:

    When I use the cisco format, as the above shows, the result in the radius response isn't human readable.

    A lot of the documentation I've found online for Cisco seems to be targeted at wired 802.1X, so I'm not sure where I'm misinterpreting things. 

    Here's that aruba format that I was trying.

  • 2.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 6 days ago

    that should work and for this enforcement profile you should see 2x sessions in access tracker.

    one is the exact screenshot you have and there should be the second one after that 

    Here are the two session that i have, first session

    and this is second session

    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

  • 3.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 6 days ago

    Thanks for that, that is encouraging.    I think I may have to back up a step though because there may be more wrong.   As it turns out, if I get rid of the dACL and just try to steer the VLAN ID, that isn't working either.   I can do a trace on the WLC and see that indeed Clearpass is presenting those IETF attributes to set the VLAN, and the Cisco is seeing them, but for some reason it doesn't set the vlan ID properly as I'd expect.  So it may be that the Cisco WLC is just not complying with the response.   It does, however, deny access when Clearpass tells it to deny access, so it must be something still broken in perhaps the CoA.  I'll have to fix that and then see how this dACL stuff works then.

  • 4.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 5 days ago

    OK, I got further on this and am back on track.  My problems with VLAN ID was a stupid mistake, aided by a somewhat poor gui interface on Cisco's behalf on their 9800 controller.  Dumb mistake. Oh well.

    But, with dynamic vlan assignment working, I went to try to put in my dACL in clearpass and I'm not getting what you're showing on your screenshots.

    It appears yours is for a Cisco switch.   To clarify, I'm using a Cisco 9800 wireless controller, if that makes any difference.

    When I add a dACL, my wifi won't connect at all.  Clearpass is indeed showing it as ACCEPT, so it should be working, but Cisco is not accepting the ACL.

    My ACL was simple:

    deny ip any

    permit ip any any

    However, my radius reponse provided by clearpass looks much like your screenshot...  Radius: Cisco:Cisco-IP-Downloadable-ACL: 0x23414353....big number.

    I did a radioactive trace on the controller for my mac address and I get some errors like this:

    2023/03/17 15:39:07.485050 {wncd_x_R0-0}{1}: [client-exclusion] [9707]: (info): MAC: 2ae5.1a47.3456  Add client to exclusionlist, sending ipc to add client to client exclusion table, reason: ACL failure, timeout: 60, AP: MAC: 1c1f.040c.3420
    2023/03/17 15:39:07.485073 {wncd_x_R0-0}{1}: [client-orch-sm] [9707]: (info): MAC: 2ae5.1a47.3456  sending add blacklist paylod to AP: 1c1f.040c.3420
    2023/03/17 15:39:07.486212 {wncd_x_R0-0}{1}: [errmsg] [9707]: (note): %CLIENT_EXCLUSION_SERVER-5-ADD_TO_BLACKLIST_REASON_DYNAMIC: Client MAC: 2ae5.1a47.3456 was added to exclusion list associated with AP Name:AP1D06.EC4F.6324, BSSID:MAC: 2c1a.050a.3f0e, reason:ACL failure
    2023/03/17 15:39:07.486417 {wncd_x_R0-0}{1}: [auth-mgr] [9707]: (info): [0000.0000.0000:unknown] SM UP Authz failed Attr list:0x0
    2023/03/17 15:39:07.486465 {wncd_x_R0-0}{1}: [auth-mgr] [9707]: (info): [2ae5.1a47.3456:capwap_90000183] Removing User Profile post authz fail
    2023/03/17 15:39:07.486480 {wncd_x_R0-0}{1}: [auth-mgr] [9707]: (info): [2ae5.1a47.3456:capwap_90000183] AUTHZ_FAIL - unauthorize as default
    2023/03/17 15:39:07.486599 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [9707]: (ERR): SANET_AUTHZ_FAILURE - ACL Failure username testuser, audit session id 0A02630A00001D56F1831CB0,
    2023/03/17 15:39:07.486834 {wncd_x_R0-0}{1}: [errmsg] [9707]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (2ae5.1a47.3456) on Interface capwap_90000183 AuditSessionID 0A02630A00001D56F1831CB0. Failure Reason: ACL Failure. Failed attribute name #ACSACL#-IP-VLAN_17___PCs____HQ_Macbook_Users_-3026-32.
    2023/03/17 15:39:07.486852 {wncd_x_R0-0}{1}: [auth-mgr] [9707]: (info): [2ae5.1a47.3456:capwap_90000183] Authz failed/unapplied for 0xF6000E59 (2ae5.1a47.3456), method: dot1x. Signal switch PI.
    2023/03/17 15:39:07.487679 {wncd_x_R0-0}{1}: [client-orch-sm] [9707]: (info): MAC: 2ae5.1a47.3456  Deleting the client, reason: 121, CO_CLIENT_DELETE_REASON_EXCLUDE_ACL_FAIL, Client state S_CO_L2_AUTH_IN_PROGRESS
    2023/03/17 15:39:07.487746 {wncd_x_R0-0}{1}: [client-orch-sm] [9707]: (note): MAC: 2ae5.1a47.3456  Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_EXCLUDE_ACL_FAIL, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|98|

    So if I were to guess, this here is the key:

    Failure Reason: ACL Failure. Failed attribute name #ACSACL#

    Something tells me that rather than accepting my ip access list as written, it's actually looking for an ACL NAME that resides on the wireless controller, like a pre-defined ACL that gets downloaded off the controller.

    Is, in fact, it possible to do IP based downloadable ACLs on Cisco wifi?  I understand that it should work for switches, but just not sure about wifi.

  • 5.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 4 days ago

    is CoA configured on Cisco WLC?

    yes my screenshots were for Cisco Switch. but it should also work with WLC, For WLC,  your options are filter-id, or dACL or Cisco-AVpair

    I use Cisco-AVpair mainly for redirections and its ACLs, where a name of ACL is being sent.

    as seen below

    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

  • 6.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 2 days ago

    Yes, CoA was configured.   I see now why it doesn't work.

    I came across a document titled:

    Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.10.x

    And in there it says:

    The Downloadable ACL (dACL) feature defines and updates access control lists (ACLs) in one place (Cisco ISE) and allows ACL download to all the applicable controllers.

    In Cisco IOS-XE 17.8 and earlier releases, you had to configure the name in Cisco ISE and define the ACL individually in each of the controllers.

    The dACL feature is supported only in a centralized controller in Local mode.

    So it does look like it is available in newer revisions.  There are some caveats however:

    • dACL does not support FlexConnect local switching.

    • IPv6 dACLs are supported only in Cisco ISE 3.0 or a later release.

    • The dACL feature is supported only in a centralized controller in Local mode.

    So that explains why it is looking for a name, in the release I'm currently using.

  • 7.  RE: Clearpass dACL to Cisco EWC 9800

    Posted 2 days ago

    This is correct^ dACL support was just added in 9800