10-21-2013 09:06 PM - edited 03-10-2019 09:00 PM
There is a bug (CSCug08069) that I'm hitting that prevents the dACL in the ISE authz profile from overriding the default ACL applied as a pACL on the switch. This is destroying my move from monitor mode to low-impact mode, and I'm wondering if anyone has used and can recommend some good 2960S 15.x code that has worked with their radius server dACL in the past. Any insight would be very helpful.
Kind Regards,
Kevin
10-25-2013 03:42 PM
This error code is related to AAA functionality, I will suggest to contact SAC.
10-25-2013 03:48 PM
Thanks for replying. Can you please elaborate on what your knowledge and experience is with this bug. Also, what is SAC?
Sent from Cisco Technical Support Android App
10-25-2013 03:54 PM
Kevin,
What exact IOS are you running?
10-25-2013 03:58 PM
I've tried both 15.0(2)SE2, and SE4
Sent from Cisco Technical Support Android App
10-25-2013 04:37 PM
I've tried both 15.0(2)SE2, and SE4
That's disturbing.
Disturbing because the next IOS is 15.1(2)S and I haven't tested this version yet.
10-25-2013 04:46 PM
I just got a 2960S for my lab today so I'm gonna test it this weekend. Hope I don't have to drop to 12 code just to make it work. This is one of the most irritating bugs I've encountered recently because everything will work beautifully for a while and then suddenly user complaints cause me to look at the switch and the default ACL is blocking random flows even though the dACL is applied. It's back in monitor mode until I can find code that works.
Sent from Cisco Technical Support Android App
10-25-2013 04:59 PM
Kevin,
If you ever need to go down to 12.X then I highly recommend 12.2(55)SE8. Don't even bother with the rest.
10-25-2013 05:03 PM
Thank you very much for that recommendation it will save me quite a bit of time and effort if I do have to downgrade to 12. I'll update the discussion with results.
Sent from Cisco Technical Support Android App
10-25-2013 05:04 PM
Keep us posted. I'm keen to know what you'll find.
10-27-2013 12:15 AM
Hi,
I am not running into this issue, but I wanted to see if moving your users from static ips over to the dhcp reservations would be out of the equation? I have a feeling that the 12.2(58) will fix this issue either as my experience with any ip device tracking with static ip addressing has been to move away from static ips...I know this doesnt help but didnt want you to hit this same issue after downgrading to 12.2(58) since that can take some time.
Thanks,
Tarik Admani
*Please rate helpful posts*
12-02-2013 06:55 PM
Well this is getting frustrating. dACLs are applying to the session appropriately, even with static IPs, as the first 'any' in the ACE is replaced by the host's ip address. Even with the 12.2(55)SE8 code, I'm seeing the pACL (default ACL) is still blocking very small amounts and random sets of traffic from a successfully authenticated/authorized host. I have to be out on another project tomorrow but Wednesday I will be opening a TAC case for this. I've configured this function many times I cannot imagine that it's anything but a bug but we'll see. Hard to see it as a bug if I've tried all available 15.x code releases as well as this 12.2(55)SE8 with the same results.
Any new ideas are appreciated, some notes are below.
Kind Regards,
Kevin Sheahan, CCIE # 41349
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide