Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
635
Views
0
Helpful
6
Replies

dACL don't working properly

DA587
Level 1
Level 1

‎04-17-2025 06:28 AM

Hello,

I am writing you about a issue i am facing.

After credentials validation on Cisco ISE captive portal our Cisco 2960 witch receive a dACL to users port.

However after almost 30 seconds the port lose dACL configuration.

As you can see below

show access-session interface gigabitEthernet 1/0/6 details
Interface: GigabitEthernet1/0/6
MAC Address:
IPv6 Address: Unknown
IPv4 Address:
User-Name: rnsh5697
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 38s
Common Session ID: AC1C8EA20000B52CC86E1B21
Acct Session ID: 0x0000B4ED
Handle: 0x2D000084
Current Policy: CISCO_ISE

Server Policies:
ACS ACL: xACSACLx-IP-Remediation-dacl-67beffcf

 

show access-session interface gigabitEthernet 1/0/6 details
Interface: GigabitEthernet1/0/6
MAC Address:
IPv6 Address: Unknown
IPv4 Address:
User-Name: rnsh5697
Status: Unauthorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 161s
Common Session ID: AC1C8EA20000B52CC86E1B21
Acct Session ID: 0x0000B4ED
Handle: 0x2D000084
Current Policy: CISCO_ISE

Method status list:
Method State

dot1x Stopped
mab Authc Success

Do you have a idea how i can fix this problem ?

Best regards.

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎04-18-2025 03:49 AM

You share two authc session' first one is not complete.

Also the different between two authc session is one is authz and other not authz' can I see port config 

MHM

0 Helpful

DA587
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2025 05:09 AM

Hello,

You will find below port configuration.

interface GigabitEthernet1/0/6
switchport access vlan 105
switchport mode access
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
service-policy type control subscriber CISCO_ISE
end

show policy-map type control subscriber CISCO_ISE
CISCO_ISE
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

I use the same configuration on other switch and i have not encountered this problem.

0 Helpful

MHM Cisco World
VIP
VIP
In response to DA587

‎04-18-2025 05:36 AM - edited ‎04-18-2025 05:38 AM

this new style mode are you sure about both SW use new mode ?

MHM

0 Helpful

DA587
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2025 07:29 AM

Yes, both use new mode.

0 Helpful

DA587
Level 1
Level 1
In response to DA587

‎04-23-2025 02:03 AM

I checked by my side the log.

I noticed an uninstallation of Dacl after about 1 minute

Apr 16 09:29:59 172.28.142.162 EPM_SESS_EVENT: ACL xACSACLx-IP-Remediation-dacl-67beffcf provisioning successful

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (EPM MISC PLUG-IN) identity has been updated (status 1)

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (SM ACCOUNTING PLUG-IN) identity has been updated (status 1)

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received Mac [246a.0ea2.7413]

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received audit-session-id [AC1C8EA20000B52CC86E1B21]

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received IDB [GigabitEthernet1/0/6]

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Received IPv4 [10.242.3.99]

Apr 16 09:30:25 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) identity has been updated (status 0)

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) Status (2) Notified

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for EPM MISC PLUG-IN

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for SM ACCOUNTING PLUG-IN

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Successful feature attrs provided for EPM ACL PLUG-IN

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM MISC PLUG-IN) has been terminated

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (SM ACCOUNTING PLUG-IN) has been terminated

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) has been terminated

Apr 16 09:30:51 172.28.142.162 EPM_SESS_EVENT: Un-Installing Named ACL xACSACLx-IP-Remediation-dacl-67beffcf session_ctx F3A2CD0 feat_ctx EF80968 feat_conf F4ED158

0 Helpful

MHM Cisco World
VIP
VIP
In response to DA587

‎04-23-2025 10:05 AM

There is bug about number of line of ACL' try reduce number of line of dacl if you use many lines.

MHM

0 Helpful
Related community topics
Top