We are in the process if deploying ACS for several scenarios. It will be taking over from Microsoft's built in NPS for wireless authentication as well as providing authentication for VPN users and ultimately wired 802.1x services as well.
With respect to the wired access - I've attended a number of sessions at Cisco Live over the past couple of years regarding 802.1x deployment and the initial "monitor mode" to prevent impact to users. I'm currently configuring a very basic set of rules for the wired deployment and testing. I've run into some issue with client's connecting behind VoIP phones.
I have a fairly basic set of Service Selection Rules matching on the NAS-Port-Type. One for Ethernet and one for IEEE-802.11. From there I have two Access Services configured. The Wireless policy is working and does not appear to have any issues. It is using Active Directory and authorizing against AD group memberships. The Wired policy has two rules, the first matching Auth-method for Lookup and uses the Internal Hosts, the second for MSCHAPv2 which uses Active Directory.
The idea being when mab-auth fails for an 801.x capable client behind a Cisco phone, the next rule in place then authenticates against AD. I have set the "continue" action for a failed host lookup but it doesn't appear to work:
As you can see the failure and then success are about 5 tenths of a second apart so there's no impact really.
But my question is this: Is this a good way to structure the rules? Every client behind a phone records an auth-failure and then an auth-success in ACS, so it gives the appearance of a lot of failures. Is there a better way to do MAB?
It seems as if your port settings are always using mab first then dot1x, what you can do to clean this up is to set dot1x first but with quick timers to that when the switch sents an eap-request, if an eap-response isnt sent with a few seconds it will then use mab (so that mab only clients do not timeout in the dhcp process).
What this does for your logging is that any dot1x capable client is authenticated without going through mab first which is generating this messages.
What hardware and version of code are you running and I can point you in the right direction, also please provide your current port configuration.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...