Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1633
Views
5
Helpful
2
Replies

Duplicate entries in dACL causes dot1x authorization to fail

Go to solution
SMD28316
Level 1
Level 1

‎11-03-2021 01:11 AM - edited ‎11-03-2021 01:11 AM

I have been troubleshooting a Dot1X issue on a 9200L switch, software 17.03.03, with this dACL from ISE:

remark temp
permit ip any host 10.79.114.65 <- First rule
remark DHCP
permit udp any eq bootpc any eq bootps
remark Domain
remark SCCM
permit ip any host 10.79.114.65 <- Duplicated rule
remark Drop all the rest
deny ip any any

The endpoints didn't get authorized until I removed the duplicate role, but, on older switches (for example, WS-C2960S-24PS-L 15.0(2)SE8) this problem is not occurred, duplicated rule is simply ignored. Why? Is it a bug?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-04-2021 06:45 PM

This is expected.

Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9300 Switches) > Restrictions for IEEE 802.1x Port-Based Authentication says,

...

If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.

...

 

View solution in original post

2 Replies 2

Go to solution
marce1000
VIP
VIP

‎11-03-2021 05:05 AM

 

 - What's your ISE version , make sure the 9200L is fully supported :

            https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-04-2021 06:45 PM

This is expected.

Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9300 Switches) > Restrictions for IEEE 802.1x Port-Based Authentication says,

...

If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.

...

 

Customers Also Viewed These Support Documents