Hello,

We are in the process if deploying ACS for several scenarios.  It will be taking over from Microsoft's built in NPS for wireless authentication as well as providing authentication for VPN users and ultimately wired 802.1x services as well.

With respect to the wired access - I've attended a number of sessions at Cisco Live over the past couple of years regarding 802.1x deployment and the initial "monitor mode" to prevent impact to users.  I'm currently configuring a very basic set of rules for the wired deployment and testing.  I've run into some issue with client's connecting behind VoIP phones.

I have a fairly basic set of Service Selection Rules matching on the NAS-Port-Type.  One for Ethernet and one for IEEE-802.11.  From there I have two Access Services configured.  The Wireless policy is working and does not appear to have any issues.  It is using Active Directory and authorizing against AD group memberships.  The Wired policy has two rules, the first matching Auth-method for Lookup and uses the Internal Hosts, the second for MSCHAPv2 which uses Active Directory.

The idea being when mab-auth fails for an 801.x capable client behind a Cisco phone, the next rule in place then authenticates against AD.  I have set the "continue" action for a failed host lookup but it doesn't appear to work:

Then the second auth request is a success:

As you can see the failure and then success are about 5 tenths of a second apart so there's no impact really. 

But my question is this: Is this a good way to structure  the rules?  Every client behind a phone records an auth-failure and then  an auth-success in ACS, so it gives the appearance of a lot of  failures.  Is there a better way to do MAB?

Thanks!

Rob