ACS 5.1, Wireless Lan Controller, Dot1x, and Mac Authentication
Okay, this is bugging me to no end, so I figured I'd test the waters with it.
Recently deployed an ACS 5.1 to my environmnet.
For my WLC Access Policies to handle MAC and Users, I have the following defined for the Rules
If no rules defined or no enabled rule matches.
Essentially, Rule 1 says that if it sees PEAP and EAP-MSCHAPv2, user AD to find the user. Otherwise, you're going to the default for an internal host lookup.
Now, what the interesting issue I'm seeing and driving me batty is this:
Aug 31,10 10:23:07.946 PM
Aug 31,10 10:23:03.286 PM
22056 Subject not found in the applicable identity store(s).
Now, further investigating for the failure shows that the failure is happening because its hitting the "Default" Identny rule, instead of matching on Rule-1. When it attempts a second time 4 ms later, it hits Rule-1 and processes correctly.
So, the question is, how can I stream line my policy so that I don't have the denied request? It seems silly that when a request comes in from a call station that it would process Rule-1, see that it doesn't match, process Default, matches, authorizes, and when that call station starts the second half for dot1x now that MAC authentication is done, starts on Default...
Message was edited by: spellluck - Removed hyperlinks from cut/paste.
Re: ACS 5.1, Wireless Lan Controller, Dot1x, and Mac Authenticat
>>Can you post more of the details from the failed attempt that occurs first so we can see why it is hitting the default rule?
It took me a bit longer, but I got it figured out. Because we're using lookup, it wants to verify the computer itself using PEAP, and then the user using PEAP and MSCHAPv2. So the problem was my rules were too restrictive for the computer authentication using PEAP. Interestingly enough, in WindowsXP, even when I disabled "Use computer credentials when user crendentials are not available.", it was still trying to authenticate as the computer first.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...