09-01-2010 11:04 PM - edited 03-10-2019 05:22 PM
Okay, this is bugging me to no end, so I figured I'd test the waters with it.
Recently deployed an ACS 5.1 to my environmnet.
For my WLC Access Policies to handle MAC and Users, I have the following defined for the Rules
Identity:
Rule-1 | match PEAP | match EAP-MSCHAPv2 | -ANY- | -ANY- | AD1 |
** | Default | If no rules defined or no enabled rule matches. | Internal Hosts |
Essentially, Rule 1 says that if it sees PEAP and EAP-MSCHAPv2, user AD to find the user. Otherwise, you're going to the default for an internal host lookup.
Now, what the interesting issue I'm seeing and driving me batty is this:
Aug 31,10 10:23:07.946 PM | user1 | 00-22-FA-XX-XX-XX | PEAP (EAP-MSCHAPv2) | 192.168.XXX.XX | acs02 | ||||||||
Aug 31,10 10:23:03.286 PM | user1 | 00-22-FA-XX-XX-XX | PEAP (EAP-MSCHAPv2) | 192.168.XXX.XX | acs02 | 22056 Subject not found in the applicable identity store(s). |
Now, further investigating for the failure shows that the failure is happening because its hitting the "Default" Identny rule, instead of matching on Rule-1. When it attempts a second time 4 ms later, it hits Rule-1 and processes correctly.
So, the question is, how can I stream line my policy so that I don't have the denied request? It seems silly that when a request comes in from a call station that it would process Rule-1, see that it doesn't match, process Default, matches, authorizes, and when that call station starts the second half for dot1x now that MAC authentication is done, starts on Default...
Message was edited by: spellluck - Removed hyperlinks from cut/paste.
09-07-2010 05:33 PM
Hi Spellluck,
Can you post more of the details from the failed attempt that occurs first so we can see why it is hitting the default rule?
Thanks,
Nate
09-08-2010 12:38 PM
>>Can you post more of the details from the failed attempt that occurs first so we can see why it is hitting the default rule?
It took me a bit longer, but I got it figured out. Because we're using lookup, it wants to verify the computer itself using PEAP, and then the user using PEAP and MSCHAPv2. So the problem was my rules were too restrictive for the computer authentication using PEAP. Interestingly enough, in WindowsXP, even when I disabled "Use computer credentials when user crendentials are not available.", it was still trying to authenticate as the computer first.
Order of operations ended up being.
PEAP - AD1 Lookup
MAC Auth - Default Rule - Internal Host Lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide