Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
118
Views
0
Helpful
4
Replies

dACL don't working properly

Didier587
Level 1
Level 1

‎04-17-2025 06:28 AM

Hello,

I am writing you about a issue i am facing.

After credentials validation on Cisco ISE captive portal our Cisco 2960 witch receive a dACL to users port.

However after almost 30 seconds the port lose dACL configuration.

As you can see below

show access-session interface gigabitEthernet 1/0/6 details
Interface: GigabitEthernet1/0/6
MAC Address:
IPv6 Address: Unknown
IPv4 Address:
User-Name: rnsh5697
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 38s
Common Session ID: AC1C8EA20000B52CC86E1B21
Acct Session ID: 0x0000B4ED
Handle: 0x2D000084
Current Policy: CISCO_ISE

Server Policies:
ACS ACL: xACSACLx-IP-Remediation-dacl-67beffcf

 

show access-session interface gigabitEthernet 1/0/6 details
Interface: GigabitEthernet1/0/6
MAC Address:
IPv6 Address: Unknown
IPv4 Address:
User-Name: rnsh5697
Status: Unauthorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 161s
Common Session ID: AC1C8EA20000B52CC86E1B21
Acct Session ID: 0x0000B4ED
Handle: 0x2D000084
Current Policy: CISCO_ISE

Method status list:
Method State

dot1x Stopped
mab Authc Success

Do you have a idea how i can fix this problem ?

Best regards.

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎04-18-2025 03:49 AM

You share two authc session' first one is not complete.

Also the different between two authc session is one is authz and other not authz' can I see port config 

MHM

0 Helpful

Didier587
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2025 05:09 AM

Hello,

You will find below port configuration.

interface GigabitEthernet1/0/6
switchport access vlan 105
switchport mode access
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
service-policy type control subscriber CISCO_ISE
end

show policy-map type control subscriber CISCO_ISE
CISCO_ISE
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

I use the same configuration on other switch and i have not encountered this problem.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Didier587

‎04-18-2025 05:36 AM - edited ‎04-18-2025 05:38 AM

this new style mode are you sure about both SW use new mode ?

MHM

0 Helpful

Didier587
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2025 07:29 AM

Yes, both use new mode.

0 Helpful
Customers Also Viewed These Support Documents