04-01-2013 06:56 AM - edited 03-10-2019 08:15 PM
Hello,
I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess. Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT.
When I look at the logs I see:
Mar 27 18:14:02 EDT: %EPM-6-POLICY_APP_SUCCESS: IP aa.cc.dd.ee | MAC 001a.1111.2222 | AuditSessionID AC10FB8A0000007101BDF21B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME EPM-HOLE-ACL| RESULT SUCCESS
What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.
04-02-2013 06:48 AM
The following command does seem to exist in the code:
epm access-control open OR epm access control open (like the 4500)
Is this the reason it is not working?
04-02-2013 05:04 PM
Kyle,
I do not know what the EPM-HOLE-ACL but found it a little comical. However, this is true that you have to apply another dacl to override the acl default which is applied on the port. Keep in mind you will also run into this issue if you decide to (i am basing this off the 2k 3k behavior) set a guest vlan if the radius server is dead, because of this default ACL the users will not be able to get anywhere outside of that acl.
There is a feature enhancment in the works to provide an acl if radius server is dead or when authentication fails...etc. However I think this ties all back into to your question, that if there isnt a dacl assigned to override the port acl then this seems to be the behavior.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide