Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2133
Views
0
Helpful
7
Replies

Cisco 3850 switch DACL not getting applied in posture "unknown" state

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3

‎12-23-2018 11:25 AM

Hi,

I have a Cisco 3850 switch doing dot1x authentication on ports. In the posture unknown state I am pushing a redirect acl and a DACL from the ISE once the user moves to posture unknown state. I have noticed that in the posture unknown state the DACL am is not taking effect. The switch version is 3.6.8. Please help.

 

Thanks 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-10-2019 07:39 PM

Can you share plz the output of show authe sess int gx/x/x detail?

 

I had same issue for CWA. You can do a quick test by doing a ping from your machine to 8.8.8.8.

I believe your ACL is blocking ICMP and there just to redirect traffic to posture, am I right?

If ping works even if ACL is blocking, I highly suggest to open a TAC.

 

In my case, we're pushing the redirect acl (already configured on the switch) + dACL. The switch doesn't take into consideration any acl when it comes to do some kind of redirect. However, if you push an acl on a normal dot1x or mab authentication, then this acl is enforced.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎12-23-2018 06:28 PM

Hi Shabeeb,

 

Refer to the below link and let me know if that helps..

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc36 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-23-2018 11:59 PM

Hi

When saying the dack had no effect, do you see it applied on the port or not?
Can you share the ise log and output of the switch showing this dacl applied?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎12-31-2018 03:09 AM

Take debug epm all debug from the switch & check whether dacl is applied or not.

-Aravind
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-10-2019 06:43 PM

Do you have a base_acl configured on the port that will be overridden by your dacl?  Also, ensure that you have enabled device tracking.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-10-2019 07:39 PM

Can you share plz the output of show authe sess int gx/x/x detail?

 

I had same issue for CWA. You can do a quick test by doing a ping from your machine to 8.8.8.8.

I believe your ACL is blocking ICMP and there just to redirect traffic to posture, am I right?

If ping works even if ACL is blocking, I highly suggest to open a TAC.

 

In my case, we're pushing the redirect acl (already configured on the switch) + dACL. The switch doesn't take into consideration any acl when it comes to do some kind of redirect. However, if you push an acl on a normal dot1x or mab authentication, then this acl is enforced.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
rhuel.phils
Level 1
Level 1
In response to Francesco Molino

‎08-25-2019 09:10 PM

Guys, how did you resolve the issue?

we are having the same issue.

please share workaround! Thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to rhuel.phils

‎08-26-2019 12:13 PM

If urgent please work through the TAC
0 Helpful
Customers Also Viewed These Support Documents