Looks like exactly what you asked, Kings: ACS NAP has a profile created from a template profile - "Agentless Host for L2 (802.1x fall back) In the authentication section for this profile the router's MAC address is entered into the area "Authenticate MAC with" ACS creates a record in the Reports -> "Passed Authentications" for this MAC address as successful with the associated shared Radius authorization profile.
The switch AAA config portion is as follows: aaa new-model aaa authentication login default none aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius dot1x system-auth-control interface FastEthernet0/2 //this is where the router is connected switchport mode access authentication order dot1x mab webauth authentication port-control auto mab dot1x pae authenticator dot1x max-reauth-req 1 radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO radius-server vsa send authentication Eugene From: Kingsley Charles [mailto:[email protected]] Sent: 30 April 2012 23:08 To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] MAB with 802.1x Is the MAC address configured in the ACS NAP configured for MAB? Can you paste your AAA config. With regards Kings On Tue, May 1, 2012 at 7:49 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Folks, Anyone can give me a clue why the switch reports the status of the port configured for MAC authentication bypass as "UNAUTHORIZED" ? Based on the output below the authorization session succeeded but the summary for dot1x says it is unauthorized. Is it expected ? .May 1 02:25:34.108: %AUTHMGR-5-START: Starting 'mab' for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %MAB-5-SUCCESS: Authentication successful for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.142: %AUTHMGR-5-VLANASSIGN: VLAN 30 assigned to Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:34.645: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.f956.e389) on Interface Fa0/2 AuditSessionID 0A000008000000368C2CD8E4 .May 1 02:25:35.174: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up SW2#sh dot1x all sum Interface PAE Client Status -------------------------------------------------------- Fa0/2 AUTH none UNAUTHORIZED Fa0/5 AUTH 001d.72e2.634c AUTHORIZED Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
