https://community.cisco.com/t5/network-access-control/mab-failing-even-though-authc-is-successful/m-p/3563975#M440372 <HTML><HEAD></HEAD><BODY><P>Hi Justin,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; I'd first suggest that you try taking the comments ( ! ) out of your dACL contents.&nbsp; Older platforms in particular can have problems with dACL lines that are not true access control entries.&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp; The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS.&nbsp; AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied.&nbsp; </P><P></P><P>These commands may also help with troubleshooting:</P><P>show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63</P><P>show ip access-list g1/0/2 </P><P></P><P>Hope this helps,</P><P>-Fruits</P></BODY></HTML> Tue, 26 Sep 2017 12:35:47 GMT bfruits 2017-09-26T12:35:47Z https://community.cisco.com/t5/network-access-control/mab-failing-even-though-authc-is-successful/m-p/3563974#M440371 <HTML><HEAD></HEAD><BODY><P> <SPAN style="font-size: 10pt;">ACS/IBNS Teams,</SPAN></P><P></P><P>Customer is saying they cannot get mab working on a 3750 but the same host works on a 3560 if moved. Basically, it shows Authc successful but the port state still shows as unauthorized. </P><P></P><P>I have attached the logs. Any ideas? My next step is to also post to the ISE support community. However, this is ACS as the server today. </P><P></P><P>JP</P></BODY></HTML> Mon, 25 Sep 2017 23:37:11 GMT https://community.cisco.com/t5/network-access-control/mab-failing-even-though-authc-is-successful/m-p/3563974#M440371 jupoole 2017-09-25T23:37:11Z https://community.cisco.com/t5/network-access-control/mab-failing-even-though-authc-is-successful/m-p/3563975#M440372 <HTML><HEAD></HEAD><BODY><P>Hi Justin,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; I'd first suggest that you try taking the comments ( ! ) out of your dACL contents.&nbsp; Older platforms in particular can have problems with dACL lines that are not true access control entries.&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp; The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS.&nbsp; AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied.&nbsp; </P><P></P><P>These commands may also help with troubleshooting:</P><P>show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63</P><P>show ip access-list g1/0/2 </P><P></P><P>Hope this helps,</P><P>-Fruits</P></BODY></HTML> Tue, 26 Sep 2017 12:35:47 GMT https://community.cisco.com/t5/network-access-control/mab-failing-even-though-authc-is-successful/m-p/3563975#M440372 bfruits 2017-09-26T12:35:47Z