11-08-2022 07:27 PM
Has anybody experienced this on higher versions? I see to replicate this issue on 17.3.5, Cisco 9300 switch with 28 lines of DACL - which shows empty after successful authentication.
11-08-2022 07:39 PM
haven't experienced this, when you "show authentication session interface xxxx detail" and "show ip access-list interface xxxx", is the ACL not showing under interface or the ACL is not even pushed as part of authorization ?
11-08-2022 07:50 PM
I see the ACL is pushed and applied to the interface, it's just empty.
Server Policies:
ACS ACL: xACSACLx-IP-DACL_touch_panel-3194-38
Method status list:
Method State
dot1x Stopped
mab Authc Success
hostname#
hostname#sh ip access-lists xACSACLx-IP-DACL_touch_panel-3194-38
hostname#
The above output was when I had a DACL with 28 lines lines/entries. I shorted the DACL policy to 26 lines, bounced the port, and I see the DACL correctly applied.
11-09-2022 04:54 AM
hmm, its not uncommon for the older bugs to resurface on new code. ideally it should support upto 64 entries, you should talk to tac.
11-16-2022 10:49 AM
We are hitting this bug also. Anybody know of a fixed version in the 16.X train for 3560 switches?
11-16-2022 10:50 AM
I mean 3650 switches.
08-11-2023 02:31 AM
Same here, IOS 16.12.7
09-13-2023 04:56 AM - edited 09-13-2023 04:59 AM
Same issue here. On 17.6.5.
%SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client on Interface GigabitEthernet1/0/27 AuditSessionID . Failure Reason: ACL Failure
Anybody ever find a solution?
01-10-2024 05:03 AM
Not sure if this helps anyone but my issue was with the dACL in ISE where I had a duplicate entry for a host. The 9200 switch platform did not know how to read the dACL due to the second entry and therefore displayed the error. Once I remove the duplicate entry and saved the dACL it worked. Hope this helps someone.
01-10-2024 07:41 AM
We eventually solved our issue. It was caused by the ACL name being too long and our problem was permanently resolved after that change.
05-23-2024 07:20 AM
can you tell us how short you renamed the ACL? Any particular character limit you seem to be working? I will try to do this in my environment now.
05-23-2024 08:24 AM
I think the limit was 32 but I don't remember now. How did it go and did it resolve the issue?
05-23-2024 08:47 AM - edited 05-23-2024 08:48 AM
So I just double-checked. We push a lot of DACL's via our NAC device. Unique DACL for every device type. The actual names of the DACL's for others are longer than the problematic one and work fine. The only difference is that the rest are less than 28 lines in length.
Unfortunately, there isn't much scope to trim down this DACL to <28 lines. But just for testing, when I bring to 27 lines, works like a charm.
02-14-2024 05:42 AM
Folks, we had similar issue and we fixed it by using IOS-XE 16.9.5
05-23-2024 07:10 AM
I'm using 16.9.8 on C3650 and 17.6.1 on C9400's. Still having the same problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide