Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
600
Views
0
Helpful
2
Replies

Identity rules priority

Go to solution
boris.majstorovic
Level 1
Level 1

‎02-15-2011 12:31 PM - edited ‎03-10-2019 05:49 PM

Our customer want to implement 802.1x autentication with ACS 5.2 and AD as external identiti base.

But when non802.1xcapable device conect to 802.1x enabled switch port autentification should be with MAC.

We have configured switch with 802.1x and MAC auth bypass.

Also define AD as external identiti base, and MAC addreses in internal hosts.

There are two policies in

Access Policies > ... > Access Services > Default Network Access > Identity

2.AD                                        NDG:Location in All Locations     AD1

1. Non802.1xCapableDevices      NDG:Location in All Locations     Internal Hosts

The problem is taht only frst rule is considered. If we try to autenticate with LapTop with 802.1x disabled (MAC is in internal host) autentication - OK. When we enable 802.1x on LAN there is no autentication (user not found).

After we changed order of policies:

1.AD                                        NDG:Location in All Locations     AD1

2. Non802.1xCapableDevices      NDG:Location in All Locations     Internal Hosts

The situation is reversed, user is autenticated but MAC isn't.

Where is the error?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎02-15-2011 02:44 PM

In Access Policies > > Access Services > Default Network Access > Identity, if you use "  

ACS should just usethe first match.

You can configure a "Idnetity Store Sequence" in Users and Identity Stores > Identity Store Sequences, make sure you select the "internal host" first and then AD. Then you can use this "identity store sequence" in "Default Network Access > Identity".

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎02-15-2011 02:44 PM

In Access Policies > > Access Services > Default Network Access > Identity, if you use "  

ACS should just usethe first match.

You can configure a "Idnetity Store Sequence" in Users and Identity Stores > Identity Store Sequences, make sure you select the "internal host" first and then AD. Then you can use this "identity store sequence" in "Default Network Access > Identity".

0 Helpful

Go to solution
boris.majstorovic
Level 1
Level 1
In response to Yudong Wu

‎02-24-2011 12:20 PM

Thanks

It solved the problem

0 Helpful
Top