Worklog: 2026-03-02

Summary

Resolved SSH authentication delay on AD-joined Linux workstation behind 802.1X dACL.

Symptom: SSH to chlxsbg (Ubuntu) hung for ~45 seconds before login succeeded.

Environment:

First dACL (DACL_Research_Onboard) only had UDP 53 for DNS. Added TCP 53 - improved but still delayed.

Packet capture revealed SYN packets to port 3268 (Global Catalog) with no response:

10.238.179.128.51914 > 10.100.11.32.3268: Flags [S]
10.238.179.128.46110 > 10.100.11.27.3268: Flags [S]

SSSD queries Global Catalog for AD user attribute lookups. Without 3268, these SYN packets timed out → SSH delay.

DC 10.100.11.32 was not in the dACL at all. AD clients contact any DC based on site affinity.

Added to dACL for ALL domain controllers:

permit tcp any host <dc-ip> eq 3268

DCs requiring update:

After dACL update and CoA:

TCP 53 is not enough - Global Catalog (3268) is required for SSSD AD user lookups
Discover ALL DCs before creating dACLs - AD clients use site-aware DC selection
tcpdump is the source of truth - showed exactly which ports were being blocked
dACL deny statements with log are invaluable - but tcpdump on endpoint is faster for diagnosis

enterprise-linux-8021x: Add port 3268 to SSH troubleshooting runbook dACL table
domus-ise-linux: Already has port 3268 documented in linux-ad-auth-dacl.adoc

Packet capture that identified the issue

sudo tcpdump -i any -n 'host 10.238.179.128' -c 100

CoA after dACL update

MAC="B4-E9-B8-F6-C8-17"
netapi ise mnt coa "$MAC"

Switch verification

show access-sess interface GigabitEthernet1/0/36 d
show access-l xACSACLx-IP-DACL_Research_Onboard_V2-*