topic Re: Catalyst Switch 1000 DACL Support in Network Access Control

Catalyst Switch 1000 DACL Support

br15 — Mon, 12 Dec 2022 20:31:14 GMT

Hello,
Has anyone successfully integrated a C1000-8T-2G-L with Cisco ISE using dot1x and DACL support? The C1000 has the latest software image (15.2.7E7).

We have found a strange issue that if the authorization profile has a DACL set the user port fails to pass dot1x authentication. Even if the DACL is just a permit any it still fails. When we set the authorization profile with just a VLAN and no DACL then the user port authenticates successfully and the machine can get on the network. We are using the same authorization profile for 2960X, 3560CX, 3850 and 9300 switches and they work with DACLs but this is the 1st time we've added a C1000 on the LAN. MAB also works fine on the C1000.

Re: Catalyst Switch 1000 DACL Support

CcNoE — Mon, 12 Dec 2022 20:48:13 GMT

Why would you deploy a C1000? Why not deploy current standard and avoid the issue?

Re: Catalyst Switch 1000 DACL Support

ahollifield — Mon, 12 Dec 2022 21:31:43 GMT

This should work fine. Note that the C1000 runs IOS not IOS-XE so you will need the legacy device tracking commands on the switch to properly enforce dACLs. These should be the same you are using on your 2960X 3560CX though.

Re: Catalyst Switch 1000 DACL Support

thomas — Tue, 13 Dec 2022 03:47:46 GMT

Does the C1000 support ACLs in hardware?

If not, it should at least ignore any attributes for DACL assignments that it does not understand in the form of RADIUS attributes sent from ISE.

Could also be a switch bug.