I have a problem with NAC famework with NAC-L2-IP with Cisco ACS 4.2 and a 3560 running IOS version 12.2(51)SEE1.
The configuration of the Switch is as follows (note that I also have NAC-L2-802.1x working correctly on the switch):
show run | incl radius
aaa authentication dot1x default group radius aaa authentication dot1x DOT1X group radius aaa authentication eou default group radius aaa authentication eou EOU group radius aaa authorization network default group radius aaa authorization network DOT1X group radius ip radius source-interface Vlan348 radius-server attribute 8 include-in-access-req radius-server host 10.4.5.3 auth-port 1645 acct-port 1646 key ***** radius-server key ****
radius-server vsa send accounting radius-server vsa send authentication
show run | incl aaa
aaa new-model aaa authentication login VTY group tacacs+ local aaa authentication login CON local aaa authentication enable default enable aaa authentication dot1x default group radius aaa authentication dot1x DOT1X group radius aaa authentication eou default group radius aaa authentication eou EOU group radius aaa authorization exec VTY group tacacs+ local aaa authorization exec CON local aaa authorization commands 15 VTY group tacacs+ local aaa authorization commands 15 CON local aaa authorization network default group radius aaa authorization network DOT1X group radius aaa accounting commands 15 VTY start-stop group tacacs+ aaa accounting connection VTY start-stop group tacacs+ aaa session-id common
show run | incl ip admission
ip admission source-interface Vlan348 ip admission name EOU eapoudp inactivity-time 60 ip admission EOU
show run int f0/5
interface FastEthernet0/5 switchport access vlan 348 switchport mode access ip access-group pre-nac in spanning-tree portfast ip admission EOU end
The problem is that when I use the cisco trust agent on a machine, authentication works ok. BUT when I use the NAH feature with a machine, I get mapped to the wrong group and therefore get the wrong access list entry on the switch. This is because the user entry in the ACS log shows as a number such as 3030.3162.2e33.3833.622e.6236.6563 rather than the MAC address. I have the MAC address of the machine defined in the NAP authentication page, mapped to the correct group, but I think that the swtich is sending the wrong user id (not the mac but the other number).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...