Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
1
Replies

ACL in NAC-L2-IP on Catalyst 3750

Andriy Yerofyeyev
Level 1
Level 1

‎12-22-2010 01:57 PM - edited ‎03-10-2019 05:40 PM

Hello Team,

I have problem with NAC-L2-IP on Catalyst 3750. Posture validation comes successfully , host assigned Healthy token (or Quarantine, depends of what I put on ACS). I use profile-based NAC-L2-IP Network Access Profile along with default Downloadable IP ACL (NAC_SAMPLE_HEALTHY_ACL = permit ip any any). For some , even after posture validation took place ACL on interface still the same and Catalyst do not insert anything on top of ACL . What even worse I dont see any mentions about "permit ip any any " in radius debugs.

Looks like something missing in ACS configuration (ACS 4.2) , but I cannot figure out where to look. Any advices will be highly appreciated.

Dec 22 13:29:57: RADIUS: Received from id 1645/10 2.2.2.2:1645, Access-Accept, len 289
Dec 22 13:29:57: RADIUS:  authenticator 5B D1 1C D0 82 52 BF 53 - B2 F3 AF 9E C1 A4 22 45
Dec 22 13:29:57: RADIUS:  Session-Timeout     [27]  6   36000
Dec 22 13:29:57: RADIUS:  Termination-Action  [29]  6   1
Dec 22 13:29:57: RADIUS:  Vendor, Cisco       [26]  32
Dec 22 13:29:57: RADIUS:   Cisco AVpair       [1]   26  "status-query-timeout=300"
Dec 22 13:29:57: RADIUS:  Vendor, Cisco       [26]  29
Dec 22 13:29:57: RADIUS:   Cisco AVpair       [1]   23  "posture-token=Healthy"
Dec 22 13:29:57: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
Dec 22 13:29:57: RADIUS:  EAP-Message         [79]  6
Dec 22 13:29:57: RADIUS:   03 14 00 04
Dec 22 13:29:57: RADIUS:  Vendor, Microsoft   [26]  58
Dec 22 13:29:57: RADIUS:   MS-MPPE-Send-Key   [16]  52  *
Dec 22 13:29:57: RADIUS:  Vendor, Microsoft   [26]  58
Dec 22 13:29:57: RADIUS:   MS-MPPE-Recv-Key   [17]  52  *
Dec 22 13:29:57: RADIUS:  User-Name           [1]   22  "LENOVO-4903350B:andy"
Dec 22 13:29:57: RADIUS:  Class               [25]  28
Dec 22 13:29:57: RADIUS:   43 41 43 53 3A 38 2F 31 34 34 66 2F 61 63 31 30  [CACS:8/144f/ac10]
Dec 22 13:29:57: RADIUS:   30 31 36 36 2F 35 30 30 32 31        [ 0166/50021]
Dec 22 13:29:57: RADIUS:  Message-Authenticato[80]  18
Dec 22 13:29:57: RADIUS:   7F 58 7C D7 58 90 EC 13 88 74 05 F5 25 8B 1E 6E            [ X|Xt?n]
Dec 22 13:29:57: RADIUS(00000255): Received from id 1645/10
Dec 22 13:29:57: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| TOKEN Healthy
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| HOSTNAME LENOVO-4903350B:andy
Dec 22 13:29:57: %EOU-6-POSTURE: IP=172.16.1.186| HOST=AUTHORIZED| Interface=FastEthernet0/21
Dec 22 13:29:57: %EOU-6-AUTHTYPE: IP=172.16.1.186| AuthType=EAP
Dec 22 13:29:57: %EPM-6-POLICY_REQ: IP 172.16.1.186| MAC 001e.686f.9bab| AuditSessionID AC1001660000003552B29435| AUTHTYPE EAPOUDP| EVENT APPLY

Labels:
0 Helpful
1 Reply 1

Andriy Yerofyeyev
Level 1
Level 1

‎12-23-2010 09:22 AM

NAD in ACS was configured as IETF Radius. As soon we changed type to IOS/PIX Radius NAC start working as it should.

0 Helpful
Customers Also Viewed These Support Documents