cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
2
Replies
Enthusiast

ISE Authorization PermitAccess - EPM-HOLE-ACL

Hello,

I have a 6509 switch that is running 12.2(33) SXI9 code that has a unique issue. When the client connects they are authenticated and match an authorization profile that gives the default PermitAccess.   Unfortunately at this point the client can only access what it is allowed in the ACL-DEFAULT. 

When I look at the logs I see:

Mar 27 18:14:02 EDT: %EPM-6-POLICY_APP_SUCCESS: IP aa.cc.dd.ee | MAC 001a.1111.2222 | AuditSessionID AC10FB8A0000007101BDF21B| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME EPM-HOLE-ACL| RESULT SUCCESS

What is this Named ACL EPM-HOLE-ACL? This ACL is not defined in ISE or the switch.           

Everyone's tags (3)
2 REPLIES 2
Enthusiast

ISE Authorization PermitAccess - EPM-HOLE-ACL

The following command does seem to exist in the code:

epm access-control open  OR epm access control open  (like the 4500)

Is this the reason it is not working?

Highlighted
Advocate

ISE Authorization PermitAccess - EPM-HOLE-ACL

Kyle,

I do not know what the EPM-HOLE-ACL but found  it a little comical. However, this is true that you have to apply  another dacl to override the acl default which is applied on the port.  Keep in mind you will also run into this issue if you decide to (i am  basing this off the 2k 3k behavior) set a guest vlan if the radius  server is dead, because of this default ACL the users will not be able  to get anywhere outside of that acl.

There is a  feature enhancment in the works to provide an acl if radius server is  dead or when authentication fails...etc. However I think this ties all  back into to your question, that if there isnt a dacl assigned to  override the port acl then this seems to be the behavior.

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*