02-28-2019 12:44 PM
Currently I am in the process of configuring the default mab authz rule to use CWA with a guest portal for hosts that plug into my SDA fabric that dont match any other rules.
Current issue I am facing:
We utilize NAM/eap-chaining to authenticate computer + user via eap-fast(eap-tls) with certs/cac cards. I have several policies setup that have different results depending on the eapchaining result. Everything works great and as planned, except when a user simply locks their host prior to going home. Per requirements we re-authenticate every 60 minutes. If users reboot their host prior to heading out the eapchaining result is machine pass with user fail. For the users that simply lock their box, NAM eventually looks for user CAC, and 8021x process fails so they fallback to mab.
I have attempted setting up authz conditions that are based on eapchaining result EQUALS no-chaining. This seems to work during testing for a short period of time before the endpoint abandons session and fallsback to mab.
I am looking for suggestions on how I can keep the default rule redirecting unknown hosts to the portal, and also figure out a solution for the users who may simply lock their host when leaving for the day that fallback to mab. This will need to be a rule above the default obviously.
Thanks in advance!
Solved! Go to Solution.
03-19-2019 11:22 AM
03-19-2019 11:59 AM
03-19-2019 12:02 PM
Just remember inactive days only works if you have properly setup reauthentication on all your wired results. All wired results should have a wired reauthentication timer set (we usually use 65,000) and the switch needs to be setup properly to accept it:
authentication periodic
authentication timer reauthenticate server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide