- Radius Authentication Server (Cisco Secure ACS v3.3) authenticating against a Domain Controller configured as an External User Database using the Cisco Secure ACS Remote Agent
We want to use machine authentication to download the domain policy and user authentication to dynamically assign a vlan (until now we've only tried the user authentication). For unknown users we consider two possibilities:
- Unknown user without 802.1x supplicant: After a timeout it is assigned to the guest-vlan.
- Unknown user with 802.1x supplicant: It should be assigned to the Fail-Auth VLAN.
And that's the point we can't get over. When an unknown user with 802.1x supplicant tries to connect to our network the supplicant keeps in the Authenticating state and the switch port remains Unauthorized. In the Radius Server (ACS) logs don't appear failed attempts. It seems that the ACS is applying the Unknown Users Policy and indefinitely tries to authenticate the user against the External User Database. It never sends a reject.
I've checked the ACS configuration looking for some kind of âtimeoutâ or âfailed attemptsâ parameter in External User Database configuration to force it to send the reject but I haven't succeeded. The same with the Catalyst 2960 dot1x configuration..
Check if you have properly configured the groups in the ACS. Also check if the 2960 switch is configured under proper group in the ACS. If this does not works remove all the groups in ACS and configure all of the users in same group and check if the authentication is possible.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...