Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
20
Helpful
3
Replies

Catalyst Switch 1000 DACL Support

br15
Level 1
Level 1

‎12-12-2022 12:31 PM

Hello,
Has anyone successfully integrated a C1000-8T-2G-L with Cisco ISE using dot1x and DACL support?  The C1000 has the latest software image (15.2.7E7).

We have found a strange issue that if the authorization profile has a DACL set the user port fails to pass dot1x authentication. Even if the DACL is just a permit any it still fails.  When we set the authorization profile with just a VLAN and no DACL then the user port authenticates successfully and the machine can get on the network.  We are using the same authorization profile for 2960X, 3560CX, 3850 and 9300 switches and they work with DACLs but this is the 1st time we've added a C1000 on the LAN.  MAB also works fine on the C1000.

1 person had this problem
3 Replies 3

CcNoE
Level 1
Level 1

‎12-12-2022 12:48 PM

Why would you deploy a C1000? Why not deploy current standard and avoid the issue?

0 Helpful

ahollifield
VIP
VIP

‎12-12-2022 01:31 PM

This should work fine.  Note that the C1000 runs IOS not IOS-XE so you will need the legacy device tracking commands on the switch to properly enforce dACLs.  These should be the same you are using on your 2960X 3560CX though.  

thomas
Cisco Employee
Cisco Employee

‎12-12-2022 07:47 PM

Does the C1000 support ACLs in hardware?

If not, it should at least ignore any attributes for DACL assignments that it does not understand in the form of RADIUS attributes sent from ISE.

Could also be a switch bug.

Customers Also Viewed These Support Documents