https://community.cisco.com/t5/network-access-control/nac-deployment/m-p/892432#M386880 <P>Hi mates,</P><P></P><P>We're working in a NAC solution for our network and we've got a problem I hope you'll help us to solve.</P><P></P><P>Our architecture is described bellow:</P><P></P><P>- Windows 802.1x supplicant configured with Protected EAP (PEAP) and secure password (EAP-MSCHAP v2).</P><P></P><P>- Cisco Catalyst 2960 Switches with the following configuration:</P><P></P><P>aaa authentication dot1x default group radius</P><P>aaa authorization network default group radius</P><P>â&#128;¦.</P><P>dot1x system-auth-control</P><P>â&#128;¦.</P><P>!</P><P>interface FastEthernet0/X</P><P> switchport mode access</P><P> dot1x pae authenticator</P><P> dot1x port-control auto</P><P> dot1x max-reauth-req 1</P><P> dot1x guest-vlan 20</P><P> dot1x auth-fail vlan 20</P><P> dot1x auth-fail max-attempts 1</P><P>!</P><P>â&#128;¦â&#128;¦.</P><P>radius-server host 172.19.128.200 auth-port 1645 acct-port 1646 key XXXXX</P><P>radius-server source-ports 1645-1646</P><P></P><P>- Radius Authentication Server (Cisco Secure ACS v3.3) authenticating against a Domain Controller configured as an External User Database using the Cisco Secure ACS Remote Agent</P><P></P><P></P><P>We want to use machine authentication to download the domain policy and user authentication to dynamically assign a vlan (until now we've only tried the user authentication). For unknown users we consider two possibilities:</P><P></P><P>- Unknown user without 802.1x supplicant: After a timeout it is assigned to the guest-vlan.</P><P>- Unknown user with 802.1x supplicant: It should be assigned to the Fail-Auth VLAN.</P><P></P><P>And that's the point we can't get over. When an unknown user with 802.1x supplicant tries to connect to our network the supplicant keeps in the Authenticating state and the switch port remains Unauthorized. In the Radius Server (ACS) logs don't appear failed attempts. It seems that the ACS is applying the Unknown Users Policy and indefinitely tries to authenticate the user against the External User Database. It never sends a reject.</P><P></P><P>I've checked the ACS configuration looking for some kind of â&#128;&#156;timeoutâ&#128;&#157; or â&#128;&#156;failed attemptsâ&#128;&#157; parameter in External User Database configuration to force it to send the reject but I haven't succeeded. The same with the Catalyst 2960 dot1x configuration..</P><P></P><P>How can we solve this issue?</P><P></P><P>Thanks a lot in advance!!</P><P>Coloma</P><P></P> Sun, 10 Mar 2019 22:34:00 GMT colomacrespi 2019-03-10T22:34:00Z https://community.cisco.com/t5/network-access-control/nac-deployment/m-p/892432#M386880 <P>Hi mates,</P><P></P><P>We're working in a NAC solution for our network and we've got a problem I hope you'll help us to solve.</P><P></P><P>Our architecture is described bellow:</P><P></P><P>- Windows 802.1x supplicant configured with Protected EAP (PEAP) and secure password (EAP-MSCHAP v2).</P><P></P><P>- Cisco Catalyst 2960 Switches with the following configuration:</P><P></P><P>aaa authentication dot1x default group radius</P><P>aaa authorization network default group radius</P><P>â&#128;¦.</P><P>dot1x system-auth-control</P><P>â&#128;¦.</P><P>!</P><P>interface FastEthernet0/X</P><P> switchport mode access</P><P> dot1x pae authenticator</P><P> dot1x port-control auto</P><P> dot1x max-reauth-req 1</P><P> dot1x guest-vlan 20</P><P> dot1x auth-fail vlan 20</P><P> dot1x auth-fail max-attempts 1</P><P>!</P><P>â&#128;¦â&#128;¦.</P><P>radius-server host 172.19.128.200 auth-port 1645 acct-port 1646 key XXXXX</P><P>radius-server source-ports 1645-1646</P><P></P><P>- Radius Authentication Server (Cisco Secure ACS v3.3) authenticating against a Domain Controller configured as an External User Database using the Cisco Secure ACS Remote Agent</P><P></P><P></P><P>We want to use machine authentication to download the domain policy and user authentication to dynamically assign a vlan (until now we've only tried the user authentication). For unknown users we consider two possibilities:</P><P></P><P>- Unknown user without 802.1x supplicant: After a timeout it is assigned to the guest-vlan.</P><P>- Unknown user with 802.1x supplicant: It should be assigned to the Fail-Auth VLAN.</P><P></P><P>And that's the point we can't get over. When an unknown user with 802.1x supplicant tries to connect to our network the supplicant keeps in the Authenticating state and the switch port remains Unauthorized. In the Radius Server (ACS) logs don't appear failed attempts. It seems that the ACS is applying the Unknown Users Policy and indefinitely tries to authenticate the user against the External User Database. It never sends a reject.</P><P></P><P>I've checked the ACS configuration looking for some kind of â&#128;&#156;timeoutâ&#128;&#157; or â&#128;&#156;failed attemptsâ&#128;&#157; parameter in External User Database configuration to force it to send the reject but I haven't succeeded. The same with the Catalyst 2960 dot1x configuration..</P><P></P><P>How can we solve this issue?</P><P></P><P>Thanks a lot in advance!!</P><P>Coloma</P><P></P> Sun, 10 Mar 2019 22:34:00 GMT https://community.cisco.com/t5/network-access-control/nac-deployment/m-p/892432#M386880 colomacrespi 2019-03-10T22:34:00Z https://community.cisco.com/t5/network-access-control/nac-deployment/m-p/892433#M386902 <HTML><HEAD></HEAD><BODY><P>Check if you have properly configured the groups in the ACS. Also check if the 2960 switch is configured under proper group in the ACS. If this does not works remove all the groups in ACS and configure all of the users in same group and check if the authentication is possible.</P></BODY></HTML> Thu, 20 Dec 2007 14:57:23 GMT https://community.cisco.com/t5/network-access-control/nac-deployment/m-p/892433#M386902 didyap 2007-12-20T14:57:23Z