How the Downloadable ACL is pushed by Cisco ISE to the Switch.

I always asked me a question how the Downloadable ACL is pushed by Cisco ISE to the Switch.

The 802.1X protocol is basically a method to control the network access for users, authentication with a username and password, and authorization using a Dacl or VLAN assignment for example.

The PC sends a EAP-Response message providing the username, for example “Employee” in this case, the NAD or the Switch encapsulates the EAP message in Radius Packet and sends a Radius Access-Request packet to Cisco ISE. This Radius Access-Request contains the Attribute Value Pair “AVP” “User-Name”=employee

The Cisco ISE based on the credentials (Employee), validates the authentication using an authentication policy and based, let’s say the group the username employee belongs to, provide authorization using an authorization policy, in this case the authorization is provided through a Downloadable ACL called Employee-acl.

The Cisco ISE sends a Radius Access-Accept packet as a response to the Radius Access-Request originated by the Switch.

This Radius Access-Accept packet contains the Cisco-AVP (Attribute Value Pair Attribute) with the Value=employee_acl, to tell the Switch which ACL it should apply to the user Employee.

In the Wireshark capture below, we can see that the Cisco ISE does not provide the content of the Dacl, in other words the ACE entries. It provides only the name of the Dacl.

Then the Switch generates and sends a Radius Access-Request . This Radius Access-Request contains the Attribute Value Pair “AVP” “User-Name”=employee_acl, the Switch tells the Cisco ISE, OK I dont have a locally configured ACL with the same name, can you send me the content of the ACL named employee_acl?

Finally, the Cisco ISE sends a response through the Radius Access-Accept with the content of the Dacl as shown below, with the ACEs entries: permit tcp any any eq 443, permit icmp any any and deny ip any any.

Conclusion:

The Cisco ISE does not push the entire Dacl with the ACEs once it receives a Radius Access-Request from the NAD for user authentication, instead it sends a Radius Access-Accept including just the name of the Dacl and without the ACEs.

The Cisco ISE will wait the switch to send another Radius Access-Request but the “User-Name” attribute contains only the name of the ACL, the purpose is to request the Cisco ISE the details (ACEs) of this Dacl.

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at ipdemystify.com and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories SecurityLeave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s