cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
1
Replies

NAC deployment

colomacrespi
Level 1
Level 1

Hi mates,

We're working in a NAC solution for our network and we've got a problem I hope you'll help us to solve.

Our architecture is described bellow:

- Windows 802.1x supplicant configured with Protected EAP (PEAP) and secure password (EAP-MSCHAP v2).

- Cisco Catalyst 2960 Switches with the following configuration:

aaa authentication dot1x default group radius

aaa authorization network default group radius

….

dot1x system-auth-control

….

!

interface FastEthernet0/X

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x max-reauth-req 1

dot1x guest-vlan 20

dot1x auth-fail vlan 20

dot1x auth-fail max-attempts 1

!

…….

radius-server host 172.19.128.200 auth-port 1645 acct-port 1646 key XXXXX

radius-server source-ports 1645-1646

- Radius Authentication Server (Cisco Secure ACS v3.3) authenticating against a Domain Controller configured as an External User Database using the Cisco Secure ACS Remote Agent

We want to use machine authentication to download the domain policy and user authentication to dynamically assign a vlan (until now we've only tried the user authentication). For unknown users we consider two possibilities:

- Unknown user without 802.1x supplicant: After a timeout it is assigned to the guest-vlan.

- Unknown user with 802.1x supplicant: It should be assigned to the Fail-Auth VLAN.

And that's the point we can't get over. When an unknown user with 802.1x supplicant tries to connect to our network the supplicant keeps in the Authenticating state and the switch port remains Unauthorized. In the Radius Server (ACS) logs don't appear failed attempts. It seems that the ACS is applying the Unknown Users Policy and indefinitely tries to authenticate the user against the External User Database. It never sends a reject.

I've checked the ACS configuration looking for some kind of “timeout” or “failed attempts” parameter in External User Database configuration to force it to send the reject but I haven't succeeded. The same with the Catalyst 2960 dot1x configuration..

How can we solve this issue?

Thanks a lot in advance!!

Coloma

1 Reply 1

didyap
Level 6
Level 6

Check if you have properly configured the groups in the ACS. Also check if the 2960 switch is configured under proper group in the ACS. If this does not works remove all the groups in ACS and configure all of the users in same group and check if the authentication is possible.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: