Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE DACL not working on 2960S

Hi there,

I'm checking out the ISE in a test environment.

I have sucessfully authenticated my PC already by 802.1x PEAP.

Now i plan to go further and to use DACLs, but there seems to be an isse I don't see...

for example I configured that DACL, once I enable it I'm no longer authenticates after restarting the process (Disable - enable my nic). when I use the default DACL permit ip any any it works also when I change my DACL to that. Any idea why my DACL makes trouble?

permit tcp any host 10.x.y.208 eq 22

permit tcp any host 10.a.b.110 eq 443

My Switch is maybe the problem? do I need IP-base, I don't find that info by now.

Switch Ports Model                     SW Version            SW Image                
------ ----- -----                     ----------            ----------              
*    1 28    WS-C2960S-24PS-L          15.2(2)E3             C2960S-UNIVERSALK9-M  

sh license
Index 1 Feature: lanlite       
        Period left: 0  minute  0  second 
Index 2 Feature: lanbase       
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
        License Count: Non-Counted

Any idea would be great.


Cisco Employee

LAN Base shoudl be enough to support your configuraiton. In the future you can reference the ISE Compatibility Matrix:

With regards, to your problem, I have a few quesitons/requests:

1. Are you saying that everything works as long as the DACL is permit ip any any ?

2. Can you post the following output from your switch:

- AAA configs

- Port config (where the endpoint is connecting)

- Output of show authentication session interface x/y detail

- Screenshot of your DACL that you are pushing

- Screenshot of the Authorizatoin Profile that you are pushing to that session

Thank you for rating helpful posts!


1. Yes thats what I'm saying

2. below the outputs.

sh run | incl aaa

aaa new-model
aaa group server radius ISE_GROUP
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization configuration default group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa server radius dynamic-author
aaa session-id common

sh run int gi 1/0/14

interface GigabitEthernet1/0/14
 description **802.1x-Test**
 switchport access vlan 108
 switchport mode access
 ip access-group PreAuth in
 no logging event link-status
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication port-control auto
 no snmp trap link-status
 dot1x pae authenticator
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 storm-control action trap
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable

show authentication session interface gi 1/0/14 detail
            Interface:  GigabitEthernet1/0/14
          MAC Address:  fc15.b4eb.b39b
         IPv6 Address:  Unknown
         IPv4 Address:  10.x.108.25
            User-Name:  host/
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A0102D000000049215E928E
      Acct Session ID:  0x000004C8
               Handle:  0xBF00003B
       Current Policy:  POLICY_Gi1/0/14

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-test_helmer-565423b2

Method status list:
       Method           State
       dot1x            Authc Success


So according to the logs your authenticatoin and authorization is succeeding. Can you give me more details on what is not working? Your original comment said that authenticaiton is failing but according to the logs that you posted that is not the case. 

Also, post the output from show ip access-list interface g1/0/14 and see if the proper DACL is being applied. 

Thank you for rating helpful posts!


Thanks to all, I will also rate later...

yesterday I got another hint that fixed that problem.

Due to my pre-ACL on that Port DHCP ist working and ping for test etc. that's not the issue.

it was somthing like DHCP snooping, so my switch does not seet he IPs/Macs configured in the DACL as well as radius commands should be added thats why it was not working after I got authenticated and my IP via DHCP etc. Thats what I understand of that I will check in more details later to really understand that.

after I got the necessary commands it works..

thanks to all of you..


radius-server attribute 6 on-for-login-auth
-radius-server attribute 8 include-in-access-req
-radius-server attribute 25 access-request include
-mac address-table notification change
-mac address-table notification mac-move

ip device tracking probe delay 10



do you need the ```ip  device tracking probe delay 10``` also ?

I sometimes discover problems. Then ip device tracking does not show the client IP.

But we can not discover any problems with duplicate ip address detection. 

Afaik, the workaround for this problem is the 10 second probe delay.

Best regards



Are you on a static address??

You dont have anything to allow DHCP, so when your client device connects they dont have an address.


You're missing either device tracking or DHCP snooping. At least that's not within the config you're showing us.

Content for Community-Ad