We are working on configuring a NAC Framework test network. We've got to the point where we can successfully evaluate and flag a client PC as healthy or quarantine and enable/disable it's switchport as appropriate. The next step that we are having a problem with is assigning the port to a VLAN, whatever we do the port always seems to stay in the default VLAN1. We've created additional VLANs for healthy and quarantined PCs but can't get the ports assigned whatever we try. We're pretty sure we are getting the syntax of the various settings in ACS correct as wherever possible we are using templates to create settings profiles and where no templates are available we've checked our settings very carefully.
The only error we can see is from a radius debug on the switch during the authentication process where it returns these messages:
03:48:39: dot1x-ev:Received VLAN is No Vlan
03:48:39: dot1x-ev:Received VLAN Id -1
There are several repeats of these during the debug.
Yes I had all those set but I have solved the problem! I'd upgraded IOS on the switch to the required version for NAC, executed the boot command to get it to boot the correct version but for some reason it didn't take effect. Took me a while to notice it was still running the old IOS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...