I've spent a considerable amount of time now trying to conifigure radius 802.1x authentication on our ACS 5.3 appliance with policies for non Cisco ip phones (Nortel IP 2004) and machine authentication for pc's so we can run the pc's through the ip phone switch which currently we can't do as existing 802.1x is through MS IAS and is not configured as such.
I have now got individual pc policy working on the ACS for the phones, using MAB, with the mac address of the phone entered as a host on the internal identity store, and also a separate individual policy for the pc authentication which does a host lookup in Active Directory. These work fine on an individual basis and I can post details if necessary, but the part I am having real trouble with is the service selection rules, no matter what I do, it will only hit the first rule and then stop, even if that rule isn't relevant via the rules I've set up. Currently i have the rules set up as below following various internet posts but its still not working...
Rule 1 which is for our switch management is fine and can be ignored, rule 2 is to select the IP phones policy (Hardphones) and rule 3 for the PC authentication. No matter what I do for the conditions, either my test pc will authenticate, or my test IP phone will authenticate but the rules don't seem to work correctly filtering. Rule 2 config I got from the below link
With the rules as above, the phone will authenticate, but the pc fails attempting to use rule 2 which it shouldn't even hit!
I'm going round in circles with this now so any help appreciated. Rule 2 config posted as well below
quickly as I have to leave now:
- You don't have to use the usecase thing. As far as I remember it is almost the same: use case host lookup = auth method lookup.
- You can also separate the service policies by using the usecase thing.
- Try to use auth method lookup only and let me know if that works.
sorry for fast reply but I am really in hurry
Rating useful replies is more useful than saying "Thank you"