NAC Framework EOU NAH MAC Address Issue (ACS 4.2)

Unanswered Question
Jun 5th, 2010
User Badges:

HI,


I have a problem with NAC famework with NAC-L2-IP with Cisco ACS 4.2 and a 3560 running IOS version 12.2(51)SEE1.


The configuration of the Switch is as follows (note that I also have NAC-L2-802.1x working correctly on the switch):


show run | incl radius

aaa authentication dot1x default group radius
aaa authentication dot1x DOT1X group radius
aaa authentication eou default group radius
aaa authentication eou EOU group radius
aaa authorization network default group radius
aaa authorization network DOT1X group radius
ip radius source-interface Vlan348
radius-server attribute 8 include-in-access-req
radius-server host 10.4.5.3 auth-port 1645 acct-port 1646 key *****
radius-server key ****

radius-server vsa send accounting
radius-server vsa send authentication


show run | incl aaa

aaa new-model
aaa authentication login VTY group tacacs+ local
aaa authentication login CON local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authentication dot1x DOT1X group radius
aaa authentication eou default group radius
aaa authentication eou EOU group radius
aaa authorization exec VTY group tacacs+ local
aaa authorization exec CON local
aaa authorization commands 15 VTY group tacacs+ local
aaa authorization commands 15 CON local
aaa authorization network default group radius
aaa authorization network DOT1X group radius
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common


show run | incl ip admission

ip admission source-interface Vlan348
ip admission name EOU eapoudp inactivity-time 60
ip admission EOU


show run int f0/5

interface FastEthernet0/5
switchport access vlan 348
switchport mode access
ip access-group pre-nac in
spanning-tree portfast
ip admission EOU
end


The problem is that when I use the cisco trust agent on a machine, authentication works ok.  BUT when I use the NAH feature with a machine, I get mapped to the wrong group and therefore get the wrong access list entry on the switch.  This is because the user entry in the ACS log shows as a number such as 3030.3162.2e33.3833.622e.6236.6563 rather than the MAC address.  I have the MAC address of the machine defined in the NAP authentication page, mapped to the correct group, but I think that the swtich is sending the wrong user id (not the mac but the other number).


Please can you assist?


Regards


Allan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion