Hello community,

I've came across some interesting and strange behavior of 802.1x authentication in real production environment. We support client's network environment which authenticates wired users with 802.1x. There are several access switches and all of them working fine, except one. When the same user connects to the working switch it gets Internet connection, but when the exactly the same user connects to the problematic Switch, there is no Internet access and when you issue ipconfig /all you get: "The current directory is invalid". But, the thing is I see that User actually gets IP address! Also, according to the problematic switch logs, users do get authenticated in 802.1x. When I checked port and compared port configuration between problematic switch & and working switch and it looks the same. Then I checked ACL which is applied on ports for both switches. And now the most interesting, if I add "permit ip any any" to the ACL on problematic switch, then user gets connectivity and ipconfig /all shows ip configuration. Again, with exactly the same ACL on other switch, users don't have any issues! Another strange thing, if I delete ACL completely from port configuration, then user doesn't have access to the Internet again, which makes no sense to me, because it's almost the same as add "permit ip any any". ISE server is not managed by us, it's managed by client, so unfortunately I can't check its configuration. I don't understand, how come deleting ACL prevents user to get access to the Internet. I'll paste here some sanitized configuration. I'll start with port and ACL configuration:

Port configuration:

Problematic switch# show running-config interface GigabitEthernet1/0/19
Building configuration...

Current configuration : 988 bytes
!
interface GigabitEthernet1/0/19
switchport access vlan 10
switchport mode access
switchport voice vlan 30
switchport priority extend trust
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 10
auto qos voip cisco-phone
storm-control broadcast level 50.00 30.00
storm-control multicast level 50.00 30.00
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

Problematic switch# show ip access-lists ACL-DEFAULT
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit ip X.X.X.X 0.0.255.255 any -> subnet where ISE, DNS, AD and DHCP are located.
60 permit ip X.X.X.X 0.0.255.255 any -> I don't what this subnet is for.
70 permit tcp any host X.X.X.X eq www -> IP address of ISE 1
80 permit tcp any host X.X.X.X eq 443 -> IP address of ISE 1
90 permit tcp any host X.X.X.X eq 8443 -> IP address of ISE 1
100 permit tcp any host X.X.X.X eq www -> IP address of ISE 2
110 permit tcp any host X.X.X.X eq 443 -> IP address of ISE 2
120 permit tcp any host X.X.X.X eq 8443 -> IP address of ISE 2
130 permit ip any host X.X.X.X -> IP address of DNS
140 permit ip any host X.X.X.X -> IP address of DNS & DHCP
150 permit ip any host X.X.X.X -> IP address for CRM server
160 deny ip any any log

I've replaced real IP addresses with X.X.X.X