02-23-2018 11:52 AM - edited 02-21-2020 10:46 AM
Hello, what would be a good authorization rule to authorize PCs to be imaged. They’re not on the domain and they will be applied a dacl that gives access to the imaging server and internet only. I’m trying to distinguish it from the default authorization policy which matches anything and gives Internet access only.
Solved! Go to Solution.
02-23-2018 12:13 PM
02-23-2018 12:00 PM
02-23-2018 12:05 PM
02-23-2018 12:13 PM
02-23-2018 12:29 PM
02-23-2018 01:04 PM - edited 02-23-2018 01:17 PM
Using the vlan as part of a condition is only supported in IBNS2.0 configuration on the switches, if you are using that you could specify "Tunnel-Type" or "Tunnel-Private-Group-ID".
If you are using IBNS 1.0 configuration on the switches, perhaps you could use the "NAS-IP-Address" - assuming that the machines are re-imaged from a certain switch?
02-23-2018 01:30 PM
How can I tell which IBNS version I'm running?
02-23-2018 01:38 PM - edited 02-23-2018 01:39 PM
If the interfaces on your switches have the following commands similar to below, then you are using IBNS 1.0
interface GigabitEthernet1/0/1
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
If you are using IBNS 2.0 you would have class and policy maps defined globally and not the interface level commands above.
02-23-2018 01:41 PM
02-23-2018 04:43 PM
Hey RJI, can I bother you with one more thing? I'm trying to get dot1x working in my lab but I'm struggling a little. I have a win7 machine joined to a domain with a GPO enforcing dot1x PEAP with MSCHAPv2 and the dot1x service is started but the authentication request keeps missing the dot1x authentication policy for some reason and decides to do MAB instead. I attached my configs and debugs. Can you take a look and let me know if I'm missing something or something is missconfigured somewhere.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: