09-25-2017 04:37 PM
ACS/IBNS Teams,
Customer is saying they cannot get mab working on a 3750 but the same host works on a 3560 if moved. Basically, it shows Authc successful but the port state still shows as unauthorized.
I have attached the logs. Any ideas? My next step is to also post to the ISE support community. However, this is ACS as the server today.
JP
Solved! Go to Solution.
09-26-2017 05:35 AM
Hi Justin,
I'd first suggest that you try taking the comments ( ! ) out of your dACL contents. Older platforms in particular can have problems with dACL lines that are not true access control entries.
The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS. AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied.
These commands may also help with troubleshooting:
show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63
show ip access-list g1/0/2
Hope this helps,
-Fruits
09-26-2017 05:35 AM
Hi Justin,
I'd first suggest that you try taking the comments ( ! ) out of your dACL contents. Older platforms in particular can have problems with dACL lines that are not true access control entries.
The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS. AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied.
These commands may also help with troubleshooting:
show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63
show ip access-list g1/0/2
Hope this helps,
-Fruits
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide