Okay, this is bugging me to no end, so I figured I'd test the waters with it.
Recently deployed an ACS 5.1 to my environmnet.
For my WLC Access Policies to handle MAC and Users, I have the following defined for the Rules
Identity:
| Rule-1 | match PEAP | match EAP-MSCHAPv2 | -ANY- | -ANY- | AD1 |
| ** | | Default | If no rules defined or no enabled rule matches. | Internal Hosts | |
Essentially, Rule 1 says that if it sees PEAP and EAP-MSCHAPv2, user AD to find the user. Otherwise, you're going to the default for an internal host lookup.
Now, what the interesting issue I'm seeing and driving me batty is this:
| Aug 31,10 10:23:07.946 PM | | | | user1 | 00-22-FA-XX-XX-XX | WLC Radius | PEAP (EAP-MSCHAPv2) | WLC3 | 192.168.XXX.XX | | | acs02 | |
| Aug 31,10 10:23:03.286 PM | | | | user1 | 00-22-FA-XX-XX-XX | WLC Radius | PEAP (EAP-MSCHAPv2) | WLC3 | 192.168.XXX.XX | | | acs02 | 22056 Subject not found in the applicable identity store(s). |
Now, further investigating for the failure shows that the failure is happening because its hitting the "Default" Identny rule, instead of matching on Rule-1. When it attempts a second time 4 ms later, it hits Rule-1 and processes correctly.
So, the question is, how can I stream line my policy so that I don't have the denied request? It seems silly that when a request comes in from a call station that it would process Rule-1, see that it doesn't match, process Default, matches, authorizes, and when that call station starts the second half for dot1x now that MAC authentication is done, starts on Default...
Message was edited by: spellluck - Removed hyperlinks from cut/paste.
