cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1103
Views
0
Helpful
1
Replies

ACL in NAC-L2-IP on Catalyst 3750

Hello Team,

I have problem with NAC-L2-IP on Catalyst 3750. Posture validation comes successfully , host assigned Healthy token (or Quarantine, depends of what I put on ACS). I use profile-based NAC-L2-IP Network Access Profile along with default Downloadable IP ACL (NAC_SAMPLE_HEALTHY_ACL = permit ip any any). For some , even after posture validation took place ACL on interface still the same and Catalyst do not insert anything on top of ACL . What even worse I dont see any mentions about "permit ip any any " in radius debugs.

Looks like something missing in ACS configuration (ACS 4.2) , but I cannot figure out where to look. Any advices will be highly appreciated.

Dec 22 13:29:57: RADIUS: Received from id 1645/10 2.2.2.2:1645, Access-Accept, len 289
Dec 22 13:29:57: RADIUS:  authenticator 5B D1 1C D0 82 52 BF 53 - B2 F3 AF 9E C1 A4 22 45
Dec 22 13:29:57: RADIUS:  Session-Timeout     [27]  6   36000
Dec 22 13:29:57: RADIUS:  Termination-Action  [29]  6   1
Dec 22 13:29:57: RADIUS:  Vendor, Cisco       [26]  32
Dec 22 13:29:57: RADIUS:   Cisco AVpair       [1]   26  "status-query-timeout=300"
Dec 22 13:29:57: RADIUS:  Vendor, Cisco       [26]  29
Dec 22 13:29:57: RADIUS:   Cisco AVpair       [1]   23  "posture-token=Healthy"
Dec 22 13:29:57: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
Dec 22 13:29:57: RADIUS:  EAP-Message         [79]  6
Dec 22 13:29:57: RADIUS:   03 14 00 04
Dec 22 13:29:57: RADIUS:  Vendor, Microsoft   [26]  58
Dec 22 13:29:57: RADIUS:   MS-MPPE-Send-Key   [16]  52  *
Dec 22 13:29:57: RADIUS:  Vendor, Microsoft   [26]  58
Dec 22 13:29:57: RADIUS:   MS-MPPE-Recv-Key   [17]  52  *
Dec 22 13:29:57: RADIUS:  User-Name           [1]   22  "LENOVO-4903350B:andy"
Dec 22 13:29:57: RADIUS:  Class               [25]  28
Dec 22 13:29:57: RADIUS:   43 41 43 53 3A 38 2F 31 34 34 66 2F 61 63 31 30  [CACS:8/144f/ac10]
Dec 22 13:29:57: RADIUS:   30 31 36 36 2F 35 30 30 32 31        [ 0166/50021]
Dec 22 13:29:57: RADIUS:  Message-Authenticato[80]  18
Dec 22 13:29:57: RADIUS:   7F 58 7C D7 58 90 EC 13 88 74 05 F5 25 8B 1E 6E            [ X|Xt?n]
Dec 22 13:29:57: RADIUS(00000255): Received from id 1645/10
Dec 22 13:29:57: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| TOKEN Healthy
Dec 22 13:29:57: %EOU-6-POLICY: IP 172.16.1.186| HOSTNAME LENOVO-4903350B:andy
Dec 22 13:29:57: %EOU-6-POSTURE: IP=172.16.1.186| HOST=AUTHORIZED| Interface=FastEthernet0/21
Dec 22 13:29:57: %EOU-6-AUTHTYPE: IP=172.16.1.186| AuthType=EAP
Dec 22 13:29:57: %EPM-6-POLICY_REQ: IP 172.16.1.186| MAC 001e.686f.9bab| AuditSessionID AC1001660000003552B29435| AUTHTYPE EAPOUDP| EVENT APPLY

1 Reply 1

NAD in ACS was configured as IETF Radius. As soon we changed type to IOS/PIX Radius NAC start working as it should.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: