topic Re: Preauth acl cuts out connectivity in Network Access Control

Preauth acl cuts out connectivity

koukourde — Wed, 18 Jun 2025 07:45:04 GMT

Hello,
I have configured pre auth acl on C1000 switch. This acl looks like:
10 permit xxx
20 permit xxx
...
100 permit ip any any

When I delete last ace devices lost connectivity except services included in preauth acl. That would be absolutely normal, but devices are authenticated and have assigned dacl with only one ace permit ip any any. It does not matter if it is printer authenticated via mab or user authenticated via dot1x.

I have another one C1000 switch with simmilar config and software and there everything works fine. What is wrong and how to troubleshoot it?

SW-Branch1#sh auth sess int g1/0/5 det
            Interface:  GigabitEthernet1/0/5
          MAC Address:  0020.6b44.3e58
         IPv6 Address:  Unknown
         IPv4 Address:  10.203.20.236
            User-Name:  00-20-6B-44-3E-58
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  3720s
    Common Session ID:  0ACB1409000001FF87ADBD89
      Acct Session ID:  0x000029F8
               Handle:  0x2700005B
       Current Policy:  POLICY_Gi1/0/5

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-ACL_PRINTER-6257f002

Method status list:
      Method            State

      dot1x              Stopped
      mab                Authc Success

SW-Branch1#sh ip access-lists xACSACLx-IP-ACL_PRINTER-6257f002
Extended IP access list xACSACLx-IP-ACL_PRINTER-6257f002 (per-user)
    1 permit ip any any
SW-Branch1#

Re: Preauth acl cuts out connectivity

MHM Cisco World — Wed, 18 Jun 2025 10:29:15 GMT

You push ACL line or name of ACL from AAA server ?

MHM

Re: Preauth acl cuts out connectivity

crystal99roberts — Wed, 18 Jun 2025 10:41:36 GMT

When the last ACE (permit ip any any) is removed, devices lose connectivity despite having a dACL (permit ip any any). This suggests the dACL is not overriding the pre-auth ACL correctly. Compare configurations between the two switches, verify ACL enforcement in show authentication sessions, check RADIUS logs, and use debugging (debug dot1x all and debug aaa authentication) to investigate further. If needed, modify the dACL to test different access scenarios.

Re: Preauth acl cuts out connectivity

koukourde — Fri, 20 Jun 2025 06:24:11 GMT

I'm not sure what you asking, it is standard dacl from ise

Re: Preauth acl cuts out connectivity

ainajohn96 — Tue, 24 Jun 2025 09:53:27 GMT

It sounds like a tricky situation with the preauth ACL affecting connectivity. Double-checking the ACL rules and ensuring they’re applied correctly is a good start. Sometimes, small misconfigurations can lead to issues like this. If possible, testing in a controlled environment might help narrow down the problem. Hope this helps, and good luck resolving it!

Re: Preauth acl cuts out connectivity

MHM Cisco World — Tue, 24 Jun 2025 10:03:43 GMT

The SW have preauth ACL

After the Authc success ISE push named and ACL line of dACL to SW

Now SW will use dACL instead of preauthc ACL.

In end SW will use one ACL per one direction.

That normal I dont see issue' permit any any allow all traffic inlcude that allow in preauth.

MHM

Re: Preauth acl cuts out connectivity

koukourde — Tue, 24 Jun 2025 12:22:14 GMT

I disagree there is no issue. Preauth acl is configured for inbound direction on switchport.

After successful authentication dacl should override preauth-acl, but it does not. After successful authentication devices have limited access included in preauth acl (permit ip any any in preauth acl is temporary) instead of full acces according to dacl.

I identified this issue at 3 branches, rest of them (about 15) works fine. Most of them have tha same switch and the same ios version. Configuration is simmilar, differences are only vlans and ip addresses.

Re: Preauth acl cuts out connectivity

MHM Cisco World — Tue, 24 Jun 2025 12:32:33 GMT

In issue with SW change host mode to be single-host and check

MHM

Re: Preauth acl cuts out connectivity

Rob Ingram — Tue, 24 Jun 2025 13:02:03 GMT

@koukourde is authorisation command configured on the switch? - "aaa authorization network default group radius"

Re: Preauth acl cuts out connectivity

koukourde — Wed, 25 Jun 2025 06:23:31 GMT

No luck, this change didn't help.

Re: Preauth acl cuts out connectivity

koukourde — Wed, 25 Jun 2025 07:43:50 GMT

Of course, authn and authz works fine.

Re: Preauth acl cuts out connectivity

MHM Cisco World — Wed, 25 Jun 2025 10:34:22 GMT

Add this command ""single-host"" in new port of switch with issue' and check.

MHM

Re: Preauth acl cuts out connectivity

koukourde — Wed, 25 Jun 2025 11:36:16 GMT

This command does not work or I don't get it. Current port config as below, before i changed authentication host-mode multi-auth to authentication host-mode single-host.

switchport access vlan 220 switchport mode access switchport nonegotiate switchport port-security maximum 3 switchport port-security aging time 15 switchport port-security ip access-group ACL_PRE_AUTH in no logging event link-status authentication control-direction in authentication event fail action next-method authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge spanning-tree bpduguard enable ip dhcp snooping limit rate 100

Re: Preauth acl cuts out connectivity

MHM Cisco World — Wed, 25 Jun 2025 13:49:12 GMT

Re: Preauth acl cuts out connectivity

koukourde — Tue, 01 Jul 2025 11:44:25 GMT

Ip device tracking command didn't solve issue.