Re: DACL not applying to switch port

pavit-gulati · ‎04-16-2025

Hey Team,

Having issues in pushing DACL to Cisco switch. On ISE, it shows Authentication succeeded but on switch it shows authz failed. We have properly applied COA on switch. As soon as we remove DACL and enforce vlan, everything starts to work.

Did anyone face the same issue before?

On switch, we see the following logs

*Apr 16 18:40:49.382: dot1x-sm:[5000.0010.0000, Et0/1] 0xC5000009:entering idle state
*Apr 16 18:40:49.382: dot1x-sm:[5000.0010.0000, Et0/1] Posting AUTH_SUCCESS on Client 0xC5000009
*Apr 16 18:40:49.382: dot1x_auth Et0/1: during state auth_authenticating, got event 12(authSuccess_portValid)
*Apr 16 18:40:49.382: @@@ dot1x_auth Et0/1: auth_authenticating -> auth_authc_result
*Apr 16 18:40:49.382: dot1x-sm:[5000.0010.0000, Et0/1] 0xC5000009:exiting authenticating state
*Apr 16 18:40:49.382: dot1x-sm:[5000.0010.0000, Et0/1] 0xC5000009:entering authc result state
*Apr 16 18:40:49.382: dot1x-packet:[5000.0010.0000, Et0/1] EAP Key data detected adding to attribute list
*Apr 16 18:40:49.392: dot1x-ev:[5000.0010.0000, Et0/1] Received Authz fail (result: 3) for the client 0xC5000009 (5000.0010.0000)
*Apr 16 18:40:49.392: dot1x-sm:[5000.0010.0000, Et0/1] Posting_AUTHZ_FAIL on Client 0xC5000009
*Apr 16 18:40:49.392: dot1x_auth Et0/1: during state auth_authc_result, got event 22(authzFail)
*Apr 16 18:40:49.392: @@@ dot1x_auth Et0/1: auth_authc_result -> auth_held
*Apr 16 18:40:49.392: dot1x-sm:[5000.0010.0000, Et0/1] 0xC5000009: held

Rob Ingram · ‎04-16-2025

@pavit-gulati is device tracking configured on the switch? Please provide the full configuration for review.

ahollifield · ‎04-16-2025

Does your dACL validate properly on ISE? What is the NAD?

MHM Cisco World · ‎04-19-2025

This issue solved ?

MHM