C2960X DACL Limits Breaking Authorization

Summary

Note

Information are censored or changed to protect the privacy and security risk of the organization

Towards late 2023, I received a call regarding users not being able to connect to the network when they were wired in. Users were hopping off the wired to be on the wireless to access internal resources. I was called to troubleshoot the issue and started to find patterns.

The first clue was that these users were being profiled in one category - we'll call the AD group "AccessCam". In this AD group, ISE roll out a DACL upon authenticating the endpoint device through dot1x and user credential are passed via MSCHAP or EAP-TEAP. I had seen this DACL on the network and on the switchport through out the network and they were authenticated and authorized successfully. But, I had noticed that the output of the "show authentication sessions interface GiX/X/X" of these users yielded a different result -

Noticed that the dot1x has been authenticated successfully and the username has been passed properly (This also reflected on ISE CoA event), however, the authorization has failed. I managed to pinpoint down that when these users are connected to any C2960Xs then their credential would break. I managed to verify this by asking IT Help Desk to create a test AD account replicating all of AD group membership of the affected users and connecting a laptop logged in with the test AD account to other switches (e.g, C9200). I also ran across a question on Reddit saying that the C2960X can only handle 63 lines of DACL -

The DACL that ISE roll out for users in the AD Group "AccessCam" has 150+ lines.

To address the DACL limitation on the C2960X, I created a different Location identifier in ISE to group all C2960Xs in the main and remote campuses and roll out a special DACL that meet the DACL limitation of the C2960X.