https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282727#M596007 <P>this new style mode are you sure about both SW use new mode ?</P> <P>MHM</P> Fri, 18 Apr 2025 12:38:58 GMT MHM Cisco World 2025-04-18T12:38:58Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282337#M596001 <P>Hello,</P><P>I am writing you about a issue i am facing.</P><P>After credentials validation on Cisco ISE captive portal our Cisco 2960 witch receive a dACL to users port.</P><P>However after almost 30 seconds the port lose dACL configuration.</P><P>As you can see below</P><P>show access-session interface gigabitEthernet 1/0/6 details<BR />Interface: GigabitEthernet1/0/6<BR />MAC Address:<BR />IPv6 Address: Unknown<BR />IPv4 Address:<BR />User-Name: rnsh5697<BR />Status: Authorized<BR />Domain: DATA<BR />Oper host mode: multi-domain<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Periodic Acct timeout: N/A<BR />Session Uptime: 38s<BR />Common Session ID: AC1C8EA20000B52CC86E1B21<BR />Acct Session ID: 0x0000B4ED<BR />Handle: 0x2D000084<BR />Current Policy: CISCO_ISE</P><P>Server Policies:<BR />ACS ACL: xACSACLx-IP-Remediation-dacl-67beffcf</P><P>&nbsp;</P><P>show access-session interface gigabitEthernet 1/0/6 details<BR />Interface: GigabitEthernet1/0/6<BR />MAC Address:<BR />IPv6 Address: Unknown<BR />IPv4 Address:<BR />User-Name: rnsh5697<BR />Status: Unauthorized<BR />Domain: DATA<BR />Oper host mode: multi-domain<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Periodic Acct timeout: N/A<BR />Session Uptime: 161s<BR />Common Session ID: AC1C8EA20000B52CC86E1B21<BR />Acct Session ID: 0x0000B4ED<BR />Handle: 0x2D000084<BR />Current Policy: CISCO_ISE</P><P>Method status list:<BR />Method State</P><P>dot1x Stopped<BR />mab Authc Success</P><P>Do you have a idea how i can fix this problem ?</P><P>Best regards.</P> Thu, 17 Apr 2025 13:28:29 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282337#M596001 DA587 2025-04-17T13:28:29Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282690#M596004 <P>You share two authc session' first one is not complete.</P> <P>Also the different between two authc session is one is authz and other not authz' can I see port config&nbsp;</P> <P>MHM</P> Fri, 18 Apr 2025 10:49:01 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282690#M596004 MHM Cisco World 2025-04-18T10:49:01Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282709#M596005 <P>Hello,</P><P>You will find below port configuration.</P><P>interface GigabitEthernet1/0/6<BR />switchport access vlan 105<BR />switchport mode access<BR />access-session host-mode multi-domain<BR />access-session port-control auto<BR />mab<BR />dot1x pae authenticator<BR />service-policy type control subscriber CISCO_ISE<BR />end</P><P>show policy-map type control subscriber CISCO_ISE<BR />CISCO_ISE<BR />event session-started match-all<BR />10 class always do-until-failure<BR />10 authenticate using dot1x priority 10<BR />20 authenticate using mab priority 20</P><P>I use the same configuration on other switch and i have not encountered this problem.</P> Fri, 18 Apr 2025 12:09:45 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282709#M596005 DA587 2025-04-18T12:09:45Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282727#M596007 <P>this new style mode are you sure about both SW use new mode ?</P> <P>MHM</P> Fri, 18 Apr 2025 12:38:58 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282727#M596007 MHM Cisco World 2025-04-18T12:38:58Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282754#M596009 <P>Yes, both use new mode.</P> Fri, 18 Apr 2025 14:29:07 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5282754#M596009 DA587 2025-04-18T14:29:07Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5284204#M596056 <P>I checked by my side the log.</P><P><SPAN class=""><SPAN class=""><SPAN class="">I noticed an uninstallation of Dacl after about 1 minute</SPAN></SPAN></SPAN></P><P><STRONG>Apr 16 09:29:59 172.28.142.162 EPM_SESS_EVENT: ACL xACSACLx-IP-Remediation-dacl-67beffcf provisioning successful</STRONG></P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (EPM MISC PLUG-IN) identity has been updated (status 1)</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (SM ACCOUNTING PLUG-IN) identity has been updated (status 1)</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received Mac [246a.0ea2.7413]</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received audit-session-id [AC1C8EA20000B52CC86E1B21]</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received IDB [GigabitEthernet1/0/6]</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received IPv4 [10.242.3.99]</P><P>Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) identity has been updated (status 0)</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) Status (2) Notified</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for EPM MISC PLUG-IN</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for SM ACCOUNTING PLUG-IN</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for EPM ACL PLUG-IN</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM MISC PLUG-IN) has been terminated</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (SM ACCOUNTING PLUG-IN) has been terminated</P><P>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) has been terminated</P><P><STRONG>Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Un-Installing Named ACL xACSACLx-IP-Remediation-dacl-67beffcf session_ctx F3A2CD0 feat_ctx EF80968 feat_conf F4ED158</STRONG></P> Wed, 23 Apr 2025 09:03:08 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5284204#M596056 DA587 2025-04-23T09:03:08Z https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5284390#M596066 <P>There is bug about number of line of ACL' try reduce number of line of dacl if you use many lines.</P> <P>MHM</P> Wed, 23 Apr 2025 17:05:47 GMT https://community.cisco.com/t5/network-access-control/dacl-don-t-working-properly/m-p/5284390#M596066 MHM Cisco World 2025-04-23T17:05:47Z