cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2132
Views
0
Helpful
7
Replies

Cisco 3850 switch DACL not getting applied in posture "unknown" state

Hi,

I have a Cisco 3850 switch doing dot1x authentication on ports. In the posture unknown state I am pushing a redirect acl and a DACL from the ISE once the user moves to posture unknown state. I have noticed that in the posture unknown state the DACL am is not taking effect. The switch version is 3.6.8. Please help.

 

Thanks 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Can you share plz the output of show authe sess int gx/x/x detail?

 

I had same issue for CWA. You can do a quick test by doing a ping from your machine to 8.8.8.8.

I believe your ACL is blocking ICMP and there just to redirect traffic to posture, am I right?

If ping works even if ACL is blocking, I highly suggest to open a TAC.

 

In my case, we're pushing the redirect acl (already configured on the switch) + dACL. The switch doesn't take into consideration any acl when it comes to do some kind of redirect. However, if you push an acl on a normal dot1x or mab authentication, then this acl is enforced.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

mnagired
Cisco Employee
Cisco Employee

Francesco Molino
VIP Alumni
VIP Alumni
Hi

When saying the dack had no effect, do you see it applied on the port or not?
Can you share the ise log and output of the switch showing this dacl applied?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Take debug epm all debug from the switch & check whether dacl is applied or not.

-Aravind

Mike.Cifelli
VIP Alumni
VIP Alumni

Do you have a base_acl configured on the port that will be overridden by your dacl?  Also, ensure that you have enabled device tracking.

Francesco Molino
VIP Alumni
VIP Alumni

Can you share plz the output of show authe sess int gx/x/x detail?

 

I had same issue for CWA. You can do a quick test by doing a ping from your machine to 8.8.8.8.

I believe your ACL is blocking ICMP and there just to redirect traffic to posture, am I right?

If ping works even if ACL is blocking, I highly suggest to open a TAC.

 

In my case, we're pushing the redirect acl (already configured on the switch) + dACL. The switch doesn't take into consideration any acl when it comes to do some kind of redirect. However, if you push an acl on a normal dot1x or mab authentication, then this acl is enforced.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Guys, how did you resolve the issue?

we are having the same issue.

please share workaround! Thanks

If urgent please work through the TAC