04-09-2019 05:50 AM - edited 02-21-2020 11:04 AM
Hello all. In one of our production facilities we have implemented dot1x on the switches in the facility. All was OK until we found out that there is a legacy network behind one of the servers which is still used for production purposes and acts as a router for the legacy network. Something like this:
production LAN - server - legacy network
In short there are several http servers in that legacy network that are part of a printing press and cannot be migrated from the legacy network(don't ask).
The server in front authenticates on the switch without a problem and gets it dACL from our ISE servers. The server works OK but when anyone tries to connect to the http servers behind this first server we have a problem due to the dACL.
The problem lies with the fact that for dACL the any part of the dACL gets replaced with the IP address of the authenticated server, which is normal for a dACL, but the servers in the legacy network are responding from a different IP range and are getting dropped by the dACL.
I tried several different combinations of the dACL to try and get this to work but ISE tells me every time that dACL line must start with any so I couldn't get this to work.
Does someone have any idea how I can solve this or am I stuck with one port without dot1x on it?
Solved! Go to Solution.
04-09-2019 06:27 AM
04-09-2019 06:27 AM
04-15-2019 12:58 AM
Hi. Just confirm that adding multi-host instead multi-auth on the port solved the problem. Thanks for the support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide