https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599533#M521258 <HTML><HEAD></HEAD><BODY><P>Indeed, that's a valid point. However, in my case I'm also offering wired guest access so MAB process would take over once dot1x timers have timed out.</P><P></P><P>A very big thank from my side though! The issue was incredibly stupid and I don't understand how I've missed this but it is nice to see the help that you offered. I marked your answer a very helpful and gave it a 5-star. Top class!</P><P></P><P>best Regards,<BR /> Tim</P></BODY></HTML> Fri, 29 Sep 2017 06:09:30 GMT Tim Verscheure 2017-09-29T06:09:30Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599529#M521250 <HTML><HEAD></HEAD><BODY><P>Situation: On a catalyst 3850, we configured a switchport for Open access with a pre-authentication ACL. After succesful dot1x authentication we authorize the user with a RADIUS_ACCEPT and we push a dACL from ISE that is supposed to override the pre-auth ACL. This dACL has a single "permit ip any any" entry that would open the switchport completely.</P><P></P><P>We noticed that although the dACL is received by the switch, it is not applied on the switchport and the pre-auth ACL remains active. So the enduser is authorized but cannot connect to anything.</P><P></P><P>We used open access mode to ensure that the client is able to contact the domain controllers to allow for GPO updates.</P><P></P><P>Thanks in advance</P></BODY></HTML> Thu, 28 Sep 2017 12:30:09 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599529#M521250 Tim Verscheure 2017-09-28T12:30:09Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599530#M521251 <HTML><HEAD></HEAD><BODY><P>While I usually use open mode with no preauth ACL the DACL should still work.&nbsp; Are you sure you are learning the IP address of the device?&nbsp; The switch cannot apply a DACL until the IP of the device is learned.&nbsp; Do you see the IP of the device in the "show auth session" details for the port?</P></BODY></HTML> Thu, 28 Sep 2017 12:55:49 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599530#M521251 paul 2017-09-28T12:55:49Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599531#M521254 <HTML><HEAD></HEAD><BODY><P>Thanks Paul for the quick response.</P><P></P><P>I just discovered that I forgot to apply the wrong authZ profile, the one without the permit all ACL of course.</P></BODY></HTML> Thu, 28 Sep 2017 13:53:29 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599531#M521254 Tim Verscheure 2017-09-28T13:53:29Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599532#M521256 <HTML><HEAD></HEAD><BODY><P>Tim,</P><P></P><P>Just remember when you are using preauth ACLs and you want things to fail open if ISE is unavailable you have to figure out a way to remove the preauth ACL when ISE is down. This is why I usually don’t use a preauth ACL. As long as the customer is okay with the statement “An unknown device will have 20-30 second of open network access before ISE slams the door shut” then no preauth ACL is required. The 20-30 seconds is the dot1x timeout.</P><P></P><P></P><P></P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Thu, 28 Sep 2017 14:33:00 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599532#M521256 paul 2017-09-28T14:33:00Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599533#M521258 <HTML><HEAD></HEAD><BODY><P>Indeed, that's a valid point. However, in my case I'm also offering wired guest access so MAB process would take over once dot1x timers have timed out.</P><P></P><P>A very big thank from my side though! The issue was incredibly stupid and I don't understand how I've missed this but it is nice to see the help that you offered. I marked your answer a very helpful and gave it a 5-star. Top class!</P><P></P><P>best Regards,<BR /> Tim</P></BODY></HTML> Fri, 29 Sep 2017 06:09:30 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599533#M521258 Tim Verscheure 2017-09-29T06:09:30Z https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599534#M521260 <HTML><HEAD></HEAD><BODY><P>Tim,</P><P></P><P>Offering wired guest doesn’t mean you need to have a PreAuth ACL. PreAuth ACL is only required if the customer can’t live with 20-30 seconds of network access before MAB kicks in. If you have a guest wired scenario you can simply apply a DACL to limit access to what you want the guests to have access to.</P><P></P><P>In my installs if the customer can’t live with 20-30 seconds of network access before MAB kicks in we move to closed mode vs. PreAuth ACL. Closed mode has fail open commands built in whereas PreAuth ACL does not.</P><P></P><P>Thanks for the feedback.</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Fri, 29 Sep 2017 11:49:10 GMT https://community.cisco.com/t5/network-access-control/switchport-configured-for-open-access-with-pre-auth-acl-cannot/m-p/3599534#M521260 paul 2017-09-29T11:49:10Z