Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
1
Helpful
2
Replies

ISE Tustsec SGACL not pushed to switch

KelvinT
Level 1
Level 1

‎11-03-2023 04:51 AM 

ISE 3.2 patch 3
Cat4710 switch

Hello,

this is a new TrustSec deployment.  All other ISE/802.1x features are working correctly.

 

at some point the SGACL was successfully pushed to the switch.  For whatever reason the new SGACL is not being pushed with the error message below. 

Any ideas?  Thanks

 

Nov  2 14:34:20.064: CTS-coa-ev:rbacl(CAFC_Deny_RDP) doesn't exist
Nov  2 14:34:20.064: Ignoring the CoA message rbacl = CAFC_Deny_RDP-0002. Continuing to process the other CoA messages.
Nov  2 14:34:20.064: CTS-coa-ev:AAA attr name (ssg-command-code) type (490)
Nov  2 14:34:20.064: CTS-coa-ev:Ignoring unsupported attr(ssg-command-code)
Nov  2 14:34:20.064: CTS-coa-ev:Continue to next attr

 

2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎11-06-2023 04:07 PM

Not enough information about ISE or the switch to know what might be causing problems. See How to Ask The Community for Help .   I suggest calling TAC to help you troubleshoot.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-10-2023 06:02 PM

TrustSec is egress enforcement and a switch will only download an SGACL if it knows about the destination. If your switch does have CAFC_Deny_RDP, please do contact TAC to troubleshoot

I assume your switch is of cat4500 series as Cisco has no cat4710 switch.

0 Helpful
Customers Also Viewed These Support Documents