06-13-2021 04:33 PM
When ISE dACL is applied correctly and is visible in the authenticated session:
SW1-2960#show authentication sessions int g2/0/2 det Interface: GigabitEthernet2/0/2 MAC Address: 0050.5600.0141 IPv6 Address: Unknown IPv4 Address: 10.2.7.30 User-Name: nicole Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 25s Common Session ID: 0A304A19000000632C6CF72A Acct Session ID: 0x0000003E Handle: 0x38000046 Current Policy: POLICY_Gi2/0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: ACS ACL: xACSACLx-IP-TEMP_ACL-60b7be60 Method status list: Method State dot1x Authc Success SW1-2960#
Does it override the ACL that is manually configured under the interface?
I can see the dACL applied using the command show epm sess:
SW1-2960#show epm session ip 10.2.7.30 % NOTE: This command will be deprecated soon. Please use show authentication sessions or show access-session (eedge-mode) for all session related information Server Policies (priority 100) ACS ACL: xACSACLx-IP-TEMP_ACL-60b7be60 Server Policies (priority 255) Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) SW1-2960#
but when using this command t check the ACLs under the interfaces:
SW1-2960#$show ip interface | include is up|is administratively|is down|Outgoing|Inbound ... GigabitEthernet2/0/2 is up, line protocol is up Inbound access list is TEST-ACL --> Not the ACL from ISE
...
the applied ACL under the interface GigabitEthernet2/0/2 is not the dACL.
Why is that? How do I know which ACL is in use?
Solved! Go to Solution.
06-14-2021 05:47 PM
This is normal behavior. The DACL will not show in the interface output as it is applied on a session basis. Depending on how many endpoints are connected to the interface (e.g. phone with PC, dumb hub/switch with multiple PCs connected), there could be many different per-session DACLs applied to the same interface.
The DACL will override any ACL applied to the switchport for the respective session and the auth/epm session output should reflect the DACL controlling that session.
06-13-2021 09:26 PM
Have you set up the NAD profile vendor as cisco ?
some diag tips :
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html
06-14-2021 05:47 PM
This is normal behavior. The DACL will not show in the interface output as it is applied on a session basis. Depending on how many endpoints are connected to the interface (e.g. phone with PC, dumb hub/switch with multiple PCs connected), there could be many different per-session DACLs applied to the same interface.
The DACL will override any ACL applied to the switchport for the respective session and the auth/epm session output should reflect the DACL controlling that session.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide