https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/3081259#M23207 <P>I have an Auth Profile with DACL attached (permit all traffic) which looks to be working OK, but my query is - How do I view and confirm that the DACL is on the switch?</P> <P></P> <P>I see the following on the switch -</P> <P>SW-TEST-01<BR /><BR /><EM>#sh authentication sessions interface gi3/0/45 de</EM><BR /><EM> Interface: GigabitEthernet3/0/45</EM><BR /><EM> IIF-ID: 0x1033AC0000001C4</EM><BR /><EM> MAC Address: f01f.af4e.f281</EM><BR /><EM> IPv6 Address: Unknown</EM><BR /><EM> IPv4 Address: 10.44.21.83</EM><BR /><EM> User-Name: xxxxxxxxx</EM><BR /><EM> Status: Authorized</EM><BR /><EM> Domain: DATA</EM><BR /><EM> Oper host mode: multi-domain</EM><BR /><EM> Oper control dir: both</EM><BR /><EM> Session timeout: N/A</EM><BR /><EM> Restart timeout: N/A</EM><BR /><EM> Session Uptime: 11s</EM><BR /><EM> Common Session ID: 0A2C0031000065CE7DC150DA</EM><BR /><EM> Acct Session ID: 0x0000656E</EM><BR /><EM> Handle: 0xCF000055</EM><BR /><EM> Current Policy: POLICY_Gi3/0/45</EM></P> <P><EM></EM></P> <P><EM>SW-TEST-01#sh ip access-lists interface gi3/0/45<BR />SW-TEST-01<BR /></EM></P> <P></P> <P>From the Radius logs I can see the following and it says -&nbsp;<STRONG>Added the dACL specified in the Authorization Profile</STRONG> but I am unsure where to confirm this is indeed being pushed down.</P> <P></P> <TABLE border="0" class="content_table"> <TBODY> <TR> <TD width="31%">NAS Port Id</TD> <TD width="69%">GigabitEthernet3/0/45</TD> </TR> <TR> <TD width="31%">NAS Port Type</TD> <TD width="69%">Ethernet</TD> </TR> <TR> <TD width="31%">Authorization Profile</TD> <TD width="69%">Corporate User Auth</TD> </TR> </TBODY> </TABLE> <P></P> <P></P> <TABLE class="content_table_steps" border="0" cellpadding="3"> <TBODY> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>24439</TD> <TD>Machine Attributes retrieval from Active Directory succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24422</TD> <TD>ISE has confirmed previous successful machine authentication for user in Active Directory</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15036</TD> <TD>Evaluating Authorization Policy</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15048</TD> <TD>Queried PIP</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24432</TD> <TD>Looking up user in Active Directory -&nbsp;xxxxxxxx</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24355</TD> <TD>LDAP fetch succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24416</TD> <TD>User's Groups retrieval from Active Directory succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15048</TD> <TD>Queried PIP</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15004</TD> <TD>Matched rule</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15016</TD> <TD>Selected Authorization Profile - Corporate User Auth</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11022</TD> <TD><STRONG>Added the dACL specified in the Authorization Profile</STRONG></TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11503</TD> <TD>Prepared EAP-Success</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11002</TD> <TD>Returned RADIUS Access-Accept</TD> </TR> </TBODY> </TABLE> Mon, 11 Mar 2019 07:36:55 GMT GRANT3779 2019-03-11T07:36:55Z https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/3081259#M23207 <P>I have an Auth Profile with DACL attached (permit all traffic) which looks to be working OK, but my query is - How do I view and confirm that the DACL is on the switch?</P> <P></P> <P>I see the following on the switch -</P> <P>SW-TEST-01<BR /><BR /><EM>#sh authentication sessions interface gi3/0/45 de</EM><BR /><EM> Interface: GigabitEthernet3/0/45</EM><BR /><EM> IIF-ID: 0x1033AC0000001C4</EM><BR /><EM> MAC Address: f01f.af4e.f281</EM><BR /><EM> IPv6 Address: Unknown</EM><BR /><EM> IPv4 Address: 10.44.21.83</EM><BR /><EM> User-Name: xxxxxxxxx</EM><BR /><EM> Status: Authorized</EM><BR /><EM> Domain: DATA</EM><BR /><EM> Oper host mode: multi-domain</EM><BR /><EM> Oper control dir: both</EM><BR /><EM> Session timeout: N/A</EM><BR /><EM> Restart timeout: N/A</EM><BR /><EM> Session Uptime: 11s</EM><BR /><EM> Common Session ID: 0A2C0031000065CE7DC150DA</EM><BR /><EM> Acct Session ID: 0x0000656E</EM><BR /><EM> Handle: 0xCF000055</EM><BR /><EM> Current Policy: POLICY_Gi3/0/45</EM></P> <P><EM></EM></P> <P><EM>SW-TEST-01#sh ip access-lists interface gi3/0/45<BR />SW-TEST-01<BR /></EM></P> <P></P> <P>From the Radius logs I can see the following and it says -&nbsp;<STRONG>Added the dACL specified in the Authorization Profile</STRONG> but I am unsure where to confirm this is indeed being pushed down.</P> <P></P> <TABLE border="0" class="content_table"> <TBODY> <TR> <TD width="31%">NAS Port Id</TD> <TD width="69%">GigabitEthernet3/0/45</TD> </TR> <TR> <TD width="31%">NAS Port Type</TD> <TD width="69%">Ethernet</TD> </TR> <TR> <TD width="31%">Authorization Profile</TD> <TD width="69%">Corporate User Auth</TD> </TR> </TBODY> </TABLE> <P></P> <P></P> <TABLE class="content_table_steps" border="0" cellpadding="3"> <TBODY> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>24439</TD> <TD>Machine Attributes retrieval from Active Directory succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24422</TD> <TD>ISE has confirmed previous successful machine authentication for user in Active Directory</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15036</TD> <TD>Evaluating Authorization Policy</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15048</TD> <TD>Queried PIP</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24432</TD> <TD>Looking up user in Active Directory -&nbsp;xxxxxxxx</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24355</TD> <TD>LDAP fetch succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>24416</TD> <TD>User's Groups retrieval from Active Directory succeeded</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15048</TD> <TD>Queried PIP</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15004</TD> <TD>Matched rule</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>15016</TD> <TD>Selected Authorization Profile - Corporate User Auth</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11022</TD> <TD><STRONG>Added the dACL specified in the Authorization Profile</STRONG></TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11503</TD> <TD>Prepared EAP-Success</TD> </TR> <TR onmouseover="this.className='content_table_steps_highlight';" onmouseout="this.className='';" class=""> <TD>&nbsp;</TD> <TD>11002</TD> <TD>Returned RADIUS Access-Accept</TD> </TR> </TBODY> </TABLE> Mon, 11 Mar 2019 07:36:55 GMT https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/3081259#M23207 GRANT3779 2019-03-11T07:36:55Z https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/3081260#M23210 <P>Hi,</P> <P>You can check for&nbsp;interface using below command</P> <P>sh access-list int &lt;name of the DACL&gt;</P> <P></P> <P>Also you can enable "debug epm all" to check the DACL contents coming from ISE on switch.</P> <P>It generates huge amount of traffic. Try to enable if required and then disable it immediately.</P> <P></P> <P>Regards</P> <P>Gagan</P> <P>Rate helpful posts!!!!!!</P> Fri, 07 Apr 2017 00:44:38 GMT https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/3081260#M23210 Gagandeep Singh 2017-04-07T00:44:38Z https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/5275419#M595668 <P>Did this work for you?</P> Wed, 26 Mar 2025 15:49:59 GMT https://community.cisco.com/t5/network-access-control/view-dacl-that-has-been-downloaded-to-nad/m-p/5275419#M595668 tme 2025-03-26T15:49:59Z