Solved: Re: NAC CPL Troubleshooting

RobertMeany9257 · ‎01-06-2020

I have a NAC CPL that works fine on my ip-base switch with 3.6.9 but has issues on my lanbase with 16.3.8

on the 16.3.8 switch, the port fails auth, applies the guest network template and then immediately un-applies it and reattempts authentication repeatedly forever

Here's the policy map

policy-map type control subscriber CPS_MAB_DOT1X_GUEST_POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab priority 10
 event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 activate service-template GUEST_ACCESS
   30 authorize
  20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 20
  30 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 activate service-template GUEST_ACCESS
   30 authorize
  40 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 5

Any help figuring this out would be appreciated

RobertMeany9257 · ‎01-06-2020

The problem went away by placing the authorize statement before the activate service-template statement. The access manager was immediately unauthorizing after authorizing with the authorize statement being last (for some reason)

View solution in original post

RobertMeany9257 · ‎01-06-2020

The problem went away by placing the authorize statement before the activate service-template statement. The access manager was immediately unauthorizing after authorizing with the authorize statement being last (for some reason)