Preauth acl cuts out connectivity

koukourde · ‎06-18-2025

Hello,
I have configured pre auth acl on C1000 switch. This acl looks like:
10 permit xxx
20 permit xxx
...
100 permit ip any any

When I delete last ace devices lost connectivity except services included in preauth acl. That would be absolutely normal, but devices are authenticated and have assigned dacl with only one ace permit ip any any. It does not matter if it is printer authenticated via mab or user authenticated via dot1x.

I have another one C1000 switch with simmilar config and software and there everything works fine. What is wrong and how to troubleshoot it?

SW-Branch1#sh auth sess int g1/0/5 det
            Interface:  GigabitEthernet1/0/5
          MAC Address:  0020.6b44.3e58
         IPv6 Address:  Unknown
         IPv4 Address:  10.203.20.236
            User-Name:  00-20-6B-44-3E-58
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  3720s
    Common Session ID:  0ACB1409000001FF87ADBD89
      Acct Session ID:  0x000029F8
               Handle:  0x2700005B
       Current Policy:  POLICY_Gi1/0/5

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-ACL_PRINTER-6257f002

Method status list:
      Method            State

      dot1x              Stopped
      mab                Authc Success

SW-Branch1#sh ip access-lists xACSACLx-IP-ACL_PRINTER-6257f002
Extended IP access list xACSACLx-IP-ACL_PRINTER-6257f002 (per-user)
    1 permit ip any any
SW-Branch1#

MHM Cisco World · ‎06-18-2025

You push ACL line or name of ACL from AAA server ?

MHM

koukourde · ‎06-19-2025

I'm not sure what you asking, it is standard dacl from ise

MHM Cisco World · ‎06-24-2025

The SW have preauth ACL

After the Authc success ISE push named and ACL line of dACL to SW

Now SW will use dACL instead of preauthc ACL.

In end SW will use one ACL per one direction.

That normal I dont see issue' permit any any allow all traffic inlcude that allow in preauth.

MHM

koukourde · ‎06-24-2025

I disagree there is no issue. Preauth acl is configured for inbound direction on switchport.

After successful authentication dacl should override preauth-acl, but it does not. After successful authentication devices have limited access included in preauth acl (permit ip any any in preauth acl is temporary) instead of full acces according to dacl.

I identified this issue at 3 branches, rest of them (about 15) works fine. Most of them have tha same switch and the same ios version. Configuration is simmilar, differences are only vlans and ip addresses.

MHM Cisco World · ‎06-24-2025

In issue with SW change host mode to be single-host and check

MHM

koukourde · ‎06-24-2025

No luck, this change didn't help.

MHM Cisco World · ‎06-25-2025

Add this command ""single-host"" in new port of switch with issue' and check.

MHM

koukourde · ‎06-25-2025

This command does not work or I don't get it. Current port config as below, before i changed authentication host-mode multi-auth to authentication host-mode single-host.

 switchport access vlan 220
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 3
 switchport port-security aging time 15
 switchport port-security
 ip access-group ACL_PRE_AUTH in
 no logging event link-status
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 100

MHM Cisco World · ‎06-25-2025

crystal99roberts · ‎06-18-2025

When the last ACE (permit ip any any) is removed, devices lose connectivity despite having a dACL (permit ip any any). This suggests the dACL is not overriding the pre-auth ACL correctly. Compare configurations between the two switches, verify ACL enforcement in show authentication sessions, check RADIUS logs, and use debugging (debug dot1x all and debug aaa authentication) to investigate further. If needed, modify the dACL to test different access scenarios.

crediblebh

ainajohn96 · ‎06-24-2025

It sounds like a tricky situation with the preauth ACL affecting connectivity. Double-checking the ACL rules and ensuring they’re applied correctly is a good start. Sometimes, small misconfigurations can lead to issues like this. If possible, testing in a controlled environment might help narrow down the problem. Hope this helps, and good luck resolving it!

Rob Ingram · ‎06-24-2025

@koukourde is authorisation command configured on the switch? - "aaa authorization network default group radius"

koukourde · ‎06-25-2025

Of course, authn and authz works fine.