Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
1
Replies

PreAuth ACL Behavior

Leroy Plock
Level 1
Level 1

‎11-01-2018 02:42 PM

Hi. I'm running ISE 2.2 and 3850 switches with IBNS configuration. I'm unclear as to the functioning of the preauth_ipv4_acl.

When exactly is this in effect?

Is it applied automatically or only when I somehow configure it?

Is it still in effect pre-authentication when I configure access-session closed?

If Authentication fails is it still in effect?

Is there a command I can run to see whether it's currently in effect on an interface?

Where can I find good documentation on how this ACL functions?

 

Any clues appreciated.

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎11-01-2018 06:05 PM

This relates to CSCuw81806 and CSCuy12484

 

The former closed with comments:

preauth_ipv4_acl is only applied to a client when EPM sends the bind request to FED. This ACL is created by WCM when webAuth or dot1x is configured on the switch. It is only applied when a client joins and after the client authenticates it typically is removed by EPM.

So the observed behavior in 3850 is correct.

The latter provided documentation, such as http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/configuration_guide/b_161_consolidated_3850_cg/b_161_consolidated_3850_cg_chapter_01010011.html#reference_068C72B3D60A4D73BDD5ADFB5DDE7EF3;

Please take a look.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents