AAA override is not supported in HREAP mode. Thanks,
Nathan > On Mar 17, 2014, at 7:29 AM, Jeff Rensink <[email protected]> wrote: > > It could be one of 2 issues from what I can see. > > First, AnyConnect doesn't support anonymous PAC provisioning by default. You > have to use the NAM profile editor and enable that option. So you could be > getting a success on the authentication during Phase 0, but the PAC never > provisions (resulting in the failure on AnyConnect). > > Another issue could be stemming from trying to do a AAA override on a locally > switched WLAN. I have run into issues where the AAA override actually causes > a failure. Assuming you are running lab code (7.0.116.0), AAA overrides do > not work on locally switched WLANs on HREAP APs. And in my experience, > anything beyond just a plain Permit result can result in no connectivity. > It's been a while since I last tried though, and I cannot remember 100% if > this result happened with central or local authentication. > > Regards, > > Jeff Rensink : Sr Instructor : iPexpert > CCIE # 24834 :: Wireless / R&S > :: World-Class Cisco Certification Training > > Direct: +1.810.326.1444 > :: Free Videos > :: Free Training / Product Offerings > :: CCIE Blog > :: Twitter > > >> On Mon, Mar 17, 2014 at 9:18 AM, Jay Killion (jakillio) <[email protected]> >> wrote: >> I'm having some strange issues with HREAP and AAA Override's, hoping someone >> can shed some light… >> >> I've created a Network Access Policy to match on HREAP called-station-ID and >> provide different VLANs based on EAP method, see below - >> >> <1B9A67FF-41D1-442A-A803-7310A267BF5E.png> >> >> When using Anyconnect to connect to the SSID using EAP-Fast, auth succeeds >> and the client sees things as all good. >> >> <3D070F00-58A6-4C8D-8B81-6504AD2919E9.png> >> >> When using PEAP, ACS says auth succeeds and it shows the expected >> authorization profile. >> >> <4821EA8A-7810-4D11-A836-F3358EC0192F.png> >> >> However, Anyconnect says "authentication failed" even with ACS saying it >> succeeds – but only when using PEAP (FAST works fine). Any thoughts? I've >> stopped / started ACS, but no luck. >> >> Thanks - >> >> Jay Killion, CCIE #17873 R/S >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
