Solved: dACL not shown under the interface

SMD28316 · ‎06-13-2021

When ISE dACL is applied correctly and is visible in the authenticated session:

SW1-2960#show authentication sessions int g2/0/2 det
            Interface:  GigabitEthernet2/0/2
          MAC Address:  0050.5600.0141
         IPv6 Address:  Unknown
         IPv4 Address:  10.2.7.30
            User-Name:  nicole
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  25s
    Common Session ID:  0A304A19000000632C6CF72A
      Acct Session ID:  0x0000003E
               Handle:  0x38000046
       Current Policy:  POLICY_Gi2/0/2

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-TEMP_ACL-60b7be60

Method status list:
      Method            State

      dot1x              Authc Success

SW1-2960#

Does it override the ACL that is manually configured under the interface?

I can see the dACL applied using the command show epm sess:

SW1-2960#show epm session ip 10.2.7.30

% NOTE: This command will be deprecated soon.
  Please use show authentication sessions or
  show access-session (eedge-mode) for all session
  related information


 Server Policies (priority 100)
              ACS ACL:  xACSACLx-IP-TEMP_ACL-60b7be60

 Server Policies (priority 255)

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

SW1-2960#

but when using this command t check the ACLs under the interfaces:

SW1-2960#$show ip interface | include is up|is administratively|is down|Outgoing|Inbound
...
GigabitEthernet2/0/2 is up, line protocol is up
  Inbound  access list is TEST-ACL --> Not the ACL from ISE
...

the applied ACL under the interface GigabitEthernet2/0/2 is not the dACL.

Why is that? How do I know which ACL is in use?

Greg Gibbs · ‎06-14-2021

This is normal behavior. The DACL will not show in the interface output as it is applied on a session basis. Depending on how many endpoints are connected to the interface (e.g. phone with PC, dumb hub/switch with multiple PCs connected), there could be many different per-session DACLs applied to the same interface.

The DACL will override any ACL applied to the switchport for the respective session and the auth/epm session output should reflect the DACL controlling that session.

View solution in original post

balaji.bandi · ‎06-13-2021

Have you set up the NAD profile vendor as cisco ?

some diag tips :

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎06-14-2021

This is normal behavior. The DACL will not show in the interface output as it is applied on a session basis. Depending on how many endpoints are connected to the interface (e.g. phone with PC, dumb hub/switch with multiple PCs connected), there could be many different per-session DACLs applied to the same interface.

The DACL will override any ACL applied to the switchport for the respective session and the auth/epm session output should reflect the DACL controlling that session.