Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
2
Replies

WIRED - OPEN/CLOSED Complications on Cisco 3750 Switch

jason.erbe
Level 1
Level 1

‎04-13-2018 01:33 PM

ISE Version:  2.1, patch 6 (soon to be patch 7)

Cisco Switch Image:  c3750e-ipbasek9npe-mz.150-2.SE11/c3750e-ipbasek9npe-mz.150-2.SE11.bin


Open TAC Case:  683828357


Question:  Looking for some support on apparently random dACL deployment issues with a Cisco Catalyst Switch.  Additional details are below


Issue:

Occasionally a domain computer will be locked out of the network and work as if it had been quarantined – and then just start working.  Timeframe is hard to pinpoint - generally within a 5-60 min period.


When personal MacBook is connected (non-Domain computer) you could issue the command show ip access-list int gi1/0/25 and it would show the correct ACL (GUEST-INET-ONLY). Give it a couple minutes and issues the same command and there would be NO ACL. Give it a few minutes and – back and forth.


We don't appear to be having a similar issue with wired endpoints connected to a Cisco 2960XR switch.


It was locking down domain computers and allowing visitor computers full access. They had me delete the voice vlan and then put it back on my interface. The non-domain computer was locked down – makes not sense, but the domain computer still had issues.


Final thoughts - now that ISE V2.2 is defined as the safe-harbor, we have considered upgrading to that; however, want to ensure it is not a problem with just the Cisco Catalyst code on the 3750 switches.

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-13-2018 05:12 PM

I can't say that I've seen this symptom before with the 3750/3750-X platforms, so this could be caused by switch or ISE configuration. I would suggest using the following Community post to review Top Ten mis-configured settings as well as the 'Universal IOS Switch Config for ISE' info.

Otherwise, it would be best to continue working with TAC as they may need to look at debugs, etc.

-Regards,

Greg

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-16-2018 09:10 PM

I glanced through the case notes and could not find ISE at fault at all as the switch retrieving attributes ok. Please continue working with TAC as Greg suggested.

15.0(2)SE11 is rather old so it would worth to try the recommended IOS train IOS 15.2(2)E5 or E6.

I do not use "switchport block unicast" with my DOT1X interface so good to try without it.

0 Helpful
Customers Also Viewed These Support Documents