ACS 5.1, Wireless Lan Controller, Dot1x, and Mac Authentication

Unanswered Question
Sep 1st, 2010
User Badges:

Okay, this is bugging me to no end, so I figured I'd test the waters with it.

Recently deployed an ACS 5.1 to my environmnet.

For my WLC Access Policies to handle MAC and Users, I have the following defined for the Rules


Rule-1match PEAPmatch EAP-MSCHAPv2-ANY--ANY-


**DefaultIf no rules defined or no enabled rule matches.Internal Hosts

Essentially, Rule 1 says that if it sees PEAP and EAP-MSCHAPv2, user AD to find the user.  Otherwise, you're going to the default for an internal host lookup.

Now, what the interesting issue I'm seeing and driving me batty is this:

Aug 31,10 10:23:07.946 PMuser100-22-FA-XX-XX-XX
WLC Radius
Aug 31,10 10:23:03.286 PMuser100-22-FA-XX-XX-XX
WLC Radius
acs0222056 Subject not found in the applicable identity store(s).

Now, further investigating for the failure shows that the failure is happening because its hitting the "Default" Identny rule, instead of matching on Rule-1.  When it attempts a second time 4 ms later, it hits Rule-1 and processes correctly.

So, the question is, how can I stream line my policy so that I don't have the denied request?  It seems silly that when a request comes in from a call station that it would process Rule-1, see that it doesn't match, process Default, matches, authorizes, and when that call station starts the second half for dot1x now that MAC authentication is done, starts on Default...

Message was edited by: spellluck - Removed hyperlinks from cut/paste.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nate Austin Tue, 09/07/2010 - 17:33
User Badges:
  • Cisco Employee,

Hi Spellluck,

Can you post more of the details from the failed attempt that occurs first so we can see why it is hitting the default rule?



spellluck Wed, 09/08/2010 - 12:38
User Badges:

>>Can you post more of the details from the failed attempt that occurs first so we can see why it is hitting the default rule?

It took me a bit longer, but I got it figured out.  Because we're using lookup, it wants to verify the computer itself using PEAP, and then the user using PEAP and MSCHAPv2.  So the problem was my rules were too restrictive for the computer authentication using PEAP.  Interestingly enough, in WindowsXP, even when I disabled "Use computer credentials when user crendentials are not available.", it was still trying to authenticate as the computer first.

Order of operations ended up being.

PEAP - AD1 Lookup

MAC Auth - Default Rule - Internal Host Lookup


This Discussion

Related Content