11-03-2021 01:11 AM - edited 11-03-2021 01:11 AM
I have been troubleshooting a Dot1X issue on a 9200L switch, software 17.03.03, with this dACL from ISE:
remark temp permit ip any host 10.79.114.65 <- First rule remark DHCP permit udp any eq bootpc any eq bootps remark Domain remark SCCM permit ip any host 10.79.114.65 <- Duplicated rule remark Drop all the rest deny ip any any
The endpoints didn't get authorized until I removed the duplicate role, but, on older switches (for example, WS-C2960S-24PS-L 15.0(2)SE8) this problem is not occurred, duplicated rule is simply ignored. Why? Is it a bug?
Solved! Go to Solution.
11-04-2021 06:45 PM
This is expected.
...
If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.
...
11-03-2021 05:05 AM
- What's your ISE version , make sure the 9200L is fully supported :
M.
11-04-2021 06:45 PM
This is expected.
...
If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.
...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide