We're working in a NAC solution for our network and we've got a problem I hope you'll help us to solve.
Our architecture is described bellow:
- Windows 802.1x supplicant configured with Protected EAP (PEAP) and secure password (EAP-MSCHAP v2).
- Cisco Catalyst 2960 Switches with the following configuration:
aaa authentication dot1x default group radius
aaa authorization network default group radius
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x max-reauth-req 1
dot1x guest-vlan 20
dot1x auth-fail vlan 20
dot1x auth-fail max-attempts 1
radius-server host 172.19.128.200 auth-port 1645 acct-port 1646 key XXXXX
radius-server source-ports 1645-1646
- Radius Authentication Server (Cisco Secure ACS v3.3) authenticating against a Domain Controller configured as an External User Database using the Cisco Secure ACS Remote Agent
We want to use machine authentication to download the domain policy and user authentication to dynamically assign a vlan (until now we've only tried the user authentication). For unknown users we consider two possibilities:
- Unknown user without 802.1x supplicant: After a timeout it is assigned to the guest-vlan.
- Unknown user with 802.1x supplicant: It should be assigned to the Fail-Auth VLAN.
And that's the point we can't get over. When an unknown user with 802.1x supplicant tries to connect to our network the supplicant keeps in the Authenticating state and the switch port remains Unauthorized. In the Radius Server (ACS) logs don't appear failed attempts. It seems that the ACS is applying the Unknown Users Policy and indefinitely tries to authenticate the user against the External User Database. It never sends a reject.
I've checked the ACS configuration looking for some kind of âtimeoutâ or âfailed attemptsâ parameter in External User Database configuration to force it to send the reject but I haven't succeeded. The same with the Catalyst 2960 dot1x configuration..
How can we solve this issue?
Thanks a lot in advance!!