https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625840#M287636 <HTML><HEAD></HEAD><BODY><P>Thanks</P><P></P><P><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">It</SPAN> <SPAN class="hps" title="Click for alternate translations">solved the</SPAN> <SPAN class="hps" title="Click for alternate translations">problem</SPAN></SPAN></P></BODY></HTML> Thu, 24 Feb 2011 20:20:10 GMT boris.majstorovic 2011-02-24T20:20:10Z https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625838#M287589 <P>Our customer want to implement 802.1x autentication with ACS 5.2 and AD as external identiti base.</P><P>But when non802.1xcapable device conect to 802.1x enabled switch port autentification should be with MAC.</P><P></P><P>We have configured switch with 802.1x and MAC auth bypass.</P><P>Also define AD as external identiti base, and MAC addreses in internal hosts.</P><P></P><P>There are two policies in</P><P><SPAN class="cuesBreadcrumbStatic">Access Policies</SPAN> &gt; ... &gt; <A class="cuesBreadcrumbLink" href="https://community.cisco.com/" target="_blank">Access Services</A> &gt; <A class="cuesBreadcrumbLink" href="https://community.cisco.com/" target="_blank">Default Network Access</A> &gt; <SPAN class="cuesBreadcrumbLast">Identity</SPAN></P><P><SPAN class="cuesBreadcrumbLast"></SPAN></P><P><SPAN class="cuesBreadcrumbLast"><CENTER></CENTER></SPAN>2.<A href="https://community.cisco.com/" target="_blank">AD</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NDG:Location in All Locations&nbsp;&nbsp;&nbsp;&nbsp; AD1</P><P>1. <A href="https://community.cisco.com/" target="_blank">Non802.1xCapableDevices</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NDG:Location in All Locations&nbsp;&nbsp;&nbsp;&nbsp; Internal Hosts</P><P></P><P>The problem is taht only frst rule is considered. If we try to autenticate with LapTop with 802.1x disabled (MAC is in internal host) autentication - OK. When we enable 802.1x on LAN there is no autentication (user not found).</P><P>After we changed order of policies:</P><P>1.<A href="https://community.cisco.com/" target="_blank">AD</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NDG:Location in All Locations&nbsp;&nbsp;&nbsp;&nbsp; AD1</P><P>2. <A href="https://community.cisco.com/" target="_blank">Non802.1xCapableDevices</A>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NDG:Location in All Locations&nbsp;&nbsp;&nbsp;&nbsp; Internal Hosts</P><P></P><P>The <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">situation</SPAN> <SPAN class="hps" title="Click for alternate translations">is</SPAN> <SPAN class="hps" title="Click for alternate translations">reversed, user is autenticated but MAC isn't.</SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">Where</SPAN> <SPAN class="hps" title="Click for alternate translations">is the</SPAN> <SPAN class="hps" title="Click for alternate translations">error?</SPAN></SPAN></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"></SPAN></SPAN></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations"><SPAN class="short_text" lang="en"><SPAN class="hps" title="Click for alternate translations">Thanks</SPAN></SPAN></SPAN></SPAN></P> Mon, 11 Mar 2019 00:49:51 GMT https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625838#M287589 boris.majstorovic 2019-03-11T00:49:51Z https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625839#M287619 <HTML><HEAD></HEAD><BODY><P>In Access Policies &gt; &gt; Access Services &gt; Default Network Access &gt; Identity, if you use "&nbsp;&nbsp; <LABEL for="rulebased_">Rule based result selection"</LABEL></P><P>ACS should just usethe first match.</P><P></P><P>You can configure a "Idnetity Store Sequence" in Users and Identity Stores &gt; Identity Store Sequences, make sure you select the "internal host" first and then AD. Then you can use this "identity store sequence" in "Default Network Access &gt; Identity".</P></BODY></HTML> Tue, 15 Feb 2011 22:44:20 GMT https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625839#M287619 Yudong Wu 2011-02-15T22:44:20Z https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625840#M287636 <HTML><HEAD></HEAD><BODY><P>Thanks</P><P></P><P><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">It</SPAN> <SPAN class="hps" title="Click for alternate translations">solved the</SPAN> <SPAN class="hps" title="Click for alternate translations">problem</SPAN></SPAN></P></BODY></HTML> Thu, 24 Feb 2011 20:20:10 GMT https://community.cisco.com/t5/network-access-control/identity-rules-priority/m-p/1625840#M287636 boris.majstorovic 2011-02-24T20:20:10Z