I am building a test setup with open authentication and i am trying to get the theory right.
First the scenario for which we are going to use dot1x with open authentication:
We want to deploy dot1x throughout our network, which includes a number of users which logon to a domain.
With open authentication I want to allow AD/DNS/DHCP before dot1x authentication and then use dot1x (PEAP ms-chapv2) to authenticate the user before allowing normal traffic to proceed.
Correct me if i'm wrong but from what i gathered from several documents it should work like the following:
1) The switchport to which the user connects is setup for "authentication open" and has a PRE-AUTH ACL inbound configured on it which contains all the holes it needs for AD/DNS/DHCP
2) The User then authenticates through his logon
3) The user identity is used to authenticate the switchport as well and a ACL is downloaded from our MS-IAS which allows for normall traffic
Is the above theory correct or am i missing a crucial bit.
The problem i currently have is that the ACL is never downloaded from our MS-IAS, we are running 4506's with 12.2(50)SG2
The policy i tested returns the folowing attributes:
Cisco-AV-Pair: ip:inacl#1=permit ip any any
port config used is:
switchport access vlan xxx
switchport mode access
dot1x pae authenticator
authentication port-control auto
ip access-group <acl-name> in
global config contains:
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server vsa send authentication
and of course i have defined my radius servers in my config
Anyone have any ideas or pointers where to look?