12-22-2010 01:57 PM - edited 03-10-2019 05:40 PM
Hello Team,
I have problem with NAC-L2-IP on Catalyst 3750. Posture validation comes successfully , host assigned Healthy token (or Quarantine, depends of what I put on ACS). I use profile-based NAC-L2-IP Network Access Profile along with default Downloadable IP ACL (NAC_SAMPLE_HEALTHY_ACL = permit ip any any). For some , even after posture validation took place ACL on interface still the same and Catalyst do not insert anything on top of ACL . What even worse I dont see any mentions about "permit ip any any " in radius debugs.
Looks like something missing in ACS configuration (ACS 4.2) , but I cannot figure out where to look. Any advices will be highly appreciated.
Dec 22 13:29:57: RADIUS: Received from id 1645/10 2.2.2.2:1645, Access-Accept, len 289
Dec 22 13:29:57: RADIUS: authenticator 5B D1 1C D0 82 52 BF 53 - B2 F3 AF 9E C1 A4 22 45
Dec 22 13:29:57: RADIUS: Session-Timeout [27] 6 36000
Dec 22 13:29:57: RADIUS: Termination-Action [29] 6 1
Dec 22 13:29:57: RADIUS: Vendor, Cisco [26] 32
Dec 22 13:29:57: RADIUS: Cisco AVpair [1] 26 "status-query-timeout=300"
Dec 22 13:29:57: RADIUS: Vendor, Cisco [26] 29
Dec 22 13:29:57: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
Dec 22 13:29:57: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
Dec 22 13:29:57: RADIUS: EAP-Message [79] 6
Dec 22 13:29:57: RADIUS: 03 14 00 04
Dec 22 13:29:57: RADIUS: Vendor, Microsoft [26] 58
Dec 22 13:29:57: RADIUS: MS-MPPE-Send-Key [16] 52 *
Dec 22 13:29:57: RADIUS: Vendor, Microsoft [26] 58
Dec 22 13:29:57: RADIUS: MS-MPPE-Recv-Key [17] 52 *
Dec 22 13:29:57: RADIUS: User-Name [1] 22 "LENOVO-4903350B:andy"
Dec 22 13:29:57: RADIUS: Class [25] 28
Dec 22 13:29:57: RADIUS: 43 41 43 53 3A 38 2F 31 34 34 66 2F 61 63 31 30 [CACS:8/144f/ac10]
Dec 22 13:29:57: RADIUS: 30 31 36 36 2F 35 30 30 32 31 [ 0166/50021]
Dec 22 13:29:57: RADIUS: Message-Authenticato[80] 18
Dec 22 13:29:57: RADIUS: 7F 58 7C D7 58 90 EC 13 88 74 05 F5 25 8B 1E 6E [ X|Xt?n]
Dec 22 13:29:57: RADIUS(00000255): Received from id 1645/10
Dec 22 13:29:57: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| TOKEN Healthy
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| HOSTNAME LENOVO-4903350B:andy
Dec 22 13:29:57: %EOU-6-POSTURE: IP=172.16.1.186| HOST=AUTHORIZED| Interface=FastEthernet0/21
Dec 22 13:29:57: %EOU-6-AUTHTYPE: IP=172.16.1.186| AuthType=EAP
Dec 22 13:29:57: %EPM-6-POLICY_REQ: IP 172.16.1.186| MAC 001e.686f.9bab| AuditSessionID AC1001660000003552B29435| AUTHTYPE EAPOUDP| EVENT APPLY
12-23-2010 09:22 AM
NAD in ACS was configured as IETF Radius. As soon we changed type to IOS/PIX Radius NAC start working as it should.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide