I am confused by configuring MAC authentication bypass with external LDAP database on CS-ACS v 4.1. (appliance)

Comunication with LDAP database looks OK, in the first step there is request for username with requested MAC address,

ACS gets back username,

the second step in request for group_name which includes this username. ACS again gets back answer with proper groupname

CN=Agentless_Hosts, but all this ends with error:

Access rejected due to authorization policy in the network access profiles

I have defined GroupName on ACS Agentless_Hosts with proper configuration. This Goup is used in

Authorizatyion rule of NAP for agentless hosts. (Tested with local database - all worked)

It seems to me that the string from LDAP server is not parsed to GroupName on ACS server.

May be problem could be in LDAP schema:

I use:

Base DN: CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

MAC Addresses: CN=MAC Addresses,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

MAC Groups: CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

When I look in the packet with result from the second step I can see that ACS gets answer in form:

CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

Can somebody point me, what is wrong?

What ACS uses from LDAP string CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ as GroupName

in Authorization rule of NAP?

Thank you for any help.

Regards

Pavel Navratil