cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

501
Views
0
Helpful
1
Replies
Highlighted
Beginner

PreAuth ACL Behavior

Hi. I'm running ISE 2.2 and 3850 switches with IBNS configuration. I'm unclear as to the functioning of the preauth_ipv4_acl.

When exactly is this in effect?

Is it applied automatically or only when I somehow configure it?

Is it still in effect pre-authentication when I configure access-session closed?

If Authentication fails is it still in effect?

Is there a command I can run to see whether it's currently in effect on an interface?

Where can I find good documentation on how this ACL functions?

 

Any clues appreciated.

1 REPLY 1
Highlighted
Cisco Employee

This relates to CSCuw81806 and CSCuy12484

 

The former closed with comments:

preauth_ipv4_acl is only applied to a client when EPM sends the bind request to FED. This ACL is created by WCM when webAuth or dot1x is configured on the switch. It is only applied when a client joins and after the client authenticates it typically is removed by EPM.

So the observed behavior in 3850 is correct.

The latter provided documentation, such as http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/configuration_guide/b_161_consolidated_3850_cg/b_161_consolidated_3850_cg_chapter_01010011.html#reference_068C72B3D60A4D73BDD5ADFB5DDE7EF3;

Please take a look.