Problem with NAC-L2-802.1x

Unanswered Question
Jun 3rd, 2007
User Badges:

Hi all i was trying to configure NAC-L2-802.1x with the help of acs 4.1,4900 seris switch and CTA supplicant.. my switch configuration is below for nac..

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

interface GigabitEthernet1/1

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication



radius-server attribute 8 include-in-access-req

radius-server host x.x.x.x key cisco123

radius-server source-ports 1645-1646

radius-server vsa send authentication


I had configured the acs wth a relevant NAP profile. The problem is that whenever i try to authenticate the dot1x configured Profile is not matching.it is taking only default profile.the reason for that is that cta is not sending the CTA:PA and CTA:Host details which r required for profile match.i tried a lot with docs but no luck.. please help me..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Mon, 06/04/2007 - 17:32
User Badges:
  • Cisco Employee,

What do you have the profile set to match on? Not sure what else you're using ACS for, but is there any harm in configuring this as your default?

diptanshusingh Mon, 06/04/2007 - 20:14
User Badges:

The profile filtering is set to

Service type !=10 and cisco-av-pair not exist aaa:service.. the protcols policy is to match different EAP-FAST options in EAP-FAST coulmn as per the document,and the required posture validation credentials r cisco:pA,cisco:host.. i do as per the doucment but the profile is not matching at all.it matches the default. for test purpose i am using only a single NAP profile i.e. NAC-L2-dot1x profile..

jafrazie Mon, 06/04/2007 - 20:50
User Badges:
  • Cisco Employee,

Try matchin with less criteria if you don't need it?

Disable EAP-FAST check and see if it matches then.


diptanshusingh Mon, 06/04/2007 - 21:40
User Badges:

but for NAC-L2-dot1x i need EAP-FAST, without that i think it won work...and i need to check NAC-L2-802.1x only..

jafrazie Mon, 06/04/2007 - 22:34
User Badges:
  • Cisco Employee,

Using EAP-FAST to authc is one thing. Mathing a NAP is another.

diptanshusingh Tue, 06/05/2007 - 09:41
User Badges:

thanks jaz.. i dont knw what happened but i tried the same thing starting intially and every thing worked fine ..

Actions

This Discussion