04-13-2018 01:33 PM
ISE Version: 2.1, patch 6 (soon to be patch 7)
Cisco Switch Image: c3750e-ipbasek9npe-mz.150-2.SE11/c3750e-ipbasek9npe-mz.150-2.SE11.bin
Open TAC Case: 683828357
Question: Looking for some support on apparently random dACL deployment issues with a Cisco Catalyst Switch. Additional details are below
Issue:
Occasionally a domain computer will be locked out of the network and work as if it had been quarantined – and then just start working. Timeframe is hard to pinpoint - generally within a 5-60 min period.
When personal MacBook is connected (non-Domain computer) you could issue the command show ip access-list int gi1/0/25 and it would show the correct ACL (GUEST-INET-ONLY). Give it a couple minutes and issues the same command and there would be NO ACL. Give it a few minutes and – back and forth.
We don't appear to be having a similar issue with wired endpoints connected to a Cisco 2960XR switch.
It was locking down domain computers and allowing visitor computers full access. They had me delete the voice vlan and then put it back on my interface. The non-domain computer was locked down – makes not sense, but the domain computer still had issues.
Final thoughts - now that ISE V2.2 is defined as the safe-harbor, we have considered upgrading to that; however, want to ensure it is not a problem with just the Cisco Catalyst code on the 3750 switches.
04-13-2018 05:12 PM
I can't say that I've seen this symptom before with the 3750/3750-X platforms, so this could be caused by switch or ISE configuration. I would suggest using the following Community post to review Top Ten mis-configured settings as well as the 'Universal IOS Switch Config for ISE' info.
Otherwise, it would be best to continue working with TAC as they may need to look at debugs, etc.
-Regards,
Greg
04-16-2018 09:10 PM
I glanced through the case notes and could not find ISE at fault at all as the switch retrieving attributes ok. Please continue working with TAC as Greg suggested.
15.0(2)SE11 is rather old so it would worth to try the recommended IOS train IOS 15.2(2)E5 or E6.
I do not use "switchport block unicast" with my DOT1X interface so good to try without it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide