i found at this link http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpxref8152  it is mentioned that  dACL feature is only supported on these features-

Cisco devices that support downloadable IP ACLs are:

•PIX Firewalls

•VPN 3000-series concentrators, ASA and PIX devices

•Cisco devices running IOS version 12.3(8)T or greater

so my question is does  ios 12.2(44)SE support dACL ??????   i downloaded this ios and upgraded my switch3550, and it has   IP DEVICE TRACKING commands feature.  but dACL still does not work on it.     plz give any idea

What's your switch-config?

And what do you see with "debug radius"?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

This is my Switch Config>

aaa new-model
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 key cisco
dot1x system-auth-control

aaa authorization network default group radius

ip device tracking

radius-server vsa send authentication

interface fastethernet0/2
switchport mode access
dot1x port-control auto
dot1x reauthentication

------

and i see the following when i do:  debug radius >>>>>

03:10:17: RADIUS:  Vendor, Cisco       [26]  61

03:10:17: RADIUS:   Cisco AVpair       [1]   55  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-50a72bba"

03:10:17: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255

03:10:17: RADIUS:  EAP-Message         [79]  6

03:10:17: RADIUS:   03 06 00 04 03:10:17: RADIUS:  authenticator 70 28 8F A2 B7 3D C7 0F - A3 7A 74 05 69 A2 F9 98
03:10:17: RADIUS:  Vendor, Cisco       [26]  61
03:10:17: RADIUS:   Cisco AVpair       [1]   55  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-50a72bba"
03:10:17: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
03:10:17: RADIUS:  EAP-Message         [79]  6
----

While i go and see the loging/reports on acs,  in passed-authentication log it shows the dACL  at the authenticated-user.  but on the switch i can not see anything and  thus the   dACL does not function,  it does not block anything while i have blocked everything on that  dACL on acs  (i have added this entry - deny ip any any) 

Add a dummy ACL  with any content to your switchport-config. That ACL can then later be changed against the dACL:

ip access-list ext DEFAULT-ACL

  permit ip any any

int fast 0/2

ip access-group DEFAULT-ACL in

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

That is still not working

I'll put back a 3550 into my lab and test that the next days ... Stay tuned.


Sent from Cisco Technical Support iPad App

Ok Thank You !

just want to review you my acs side config:  on my acs server i have created dACL and assigned that into a group that is it.  i have not touched the AUTHORIZATION section at the Network-Access-Profile , i have not added any rule into that authorization section.  and that should not cause the issue i hope so

I added a 3550 (C3550-IPSERVICESK9-M, Version 12.2(44)SE6) to my Lab and tried the dACLs.

Sadly, they also didn't work for me as it does for the other switches (2960, 3560 and 3750). Only the old-style per-user ACLs worked where I've configured the following attributes directly:

01:32:17: RADIUS:  Vendor, Cisco       [26]  45 

01:32:17: RADIUS:   Cisco AVpair       [1]   39  "ip:inacl#1=deny icmp any host 8.8.8.8"

01:32:17: RADIUS:  Vendor, Cisco       [26]  36 

01:32:17: RADIUS:   Cisco AVpair       [1]   30  "ip:inacl#2=permit ip any any"

They were applied correctly to the port. But the "nomal" dACL-Config didn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ok Thanks Karesten  for your cooperation,

I will have to stuck with the old-style per-user-acl