ISE Authorization PermitAccess - EPM-HOLE-ACL

kylerossd · ‎04-01-2013

Hello,

I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess. Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT.

When I look at the logs I see:

What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.

kylerossd · ‎04-02-2013

The following command does seem to exist in the code:

epm access-control open OR epm access control open (like the 4500)

Is this the reason it is not working?

Tarik Admani · ‎04-02-2013

Kyle,

I do not know what the EPM-HOLE-ACL but found it a little comical. However, this is true that you have to apply another dacl to override the acl default which is applied on the port. Keep in mind you will also run into this issue if you decide to (i am basing this off the 2k 3k behavior) set a guest vlan if the radius server is dead, because of this default ACL the users will not be able to get anywhere outside of that acl.

There is a feature enhancment in the works to provide an acl if radius server is dead or when authentication fails...etc. However I think this ties all back into to your question, that if there isnt a dacl assigned to override the port acl then this seems to be the behavior.

Tarik Admani
*Please rate helpful posts*