Thanks a million Stanislas. I thought i could make this work with the agentless mode, just using the native windows supplicant. I shall implement using OAC and let us know how it goes. Here are a few questions needing prompt response regaring this deployment: 1. I get this debug message from my Cisco switch on the port connecting to my PC. Any idea what this is sbout? 04:35:30: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/2. 2. I have an AD server connected to the MAG for user authentication. However, each time i try to authenticate a user via the AD, i get the following error message: 2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Radius authentication rejected for ZENITHLAB\testuser2 (realm 'TestRealm') from location-group 'Firstfloor' and attributes are: NAS-IP-Address = 10.0.1.99,NAS-Port = 50002,NAS-Port-Type = 15 2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Login failed using auth server ZenithAD (Samba). Reason: Failed 2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm)[] - Primary authentication failed for ZENITHLAB\testuser2/ZenithAD from 00-21-86-F2-F5-16 Please could be wrong with my setup? Thanks._ ... View more

Hello Experts, I am running a PoC on UAC for a client and ran into this challenge. The switchport refuses to change to the newly assigned VLAN returned by the MAG after successful Remediation. When a user connects his endsystem to the network, he is being authenticaticated against either the System Local Radius server on the MAG or against AD. After successful authentication of the user, the user endpoint device is checked for posture assessment e.g. updated Anti-Virus patch. The user Role is dependent on the compliance to Host Checker security policy. If user complies, he is assigned to Employee Role(VLAN 10); should user fail posuture test, he is placed in Quarantine Role(VLAN 655). However, i noticed that all users are placed in the Quarantine Role initially, after the Host Checker runs on user PC, a the user role is either upgraded or left in Quarantine Role. I am the Agent-less mode and i have Cisco devices configured with 802.1x for port-based authentication. Observation: From my observation, the MAG or IC series device initially assigns users to Quarantine VLAN(VLAN 655). When users open the URL page, Host checker is ran and the MAG then assigns a new role to compliant systems, this is the Employee Role(VLAN 10). Now, even though the user role has changed on the MAG, the switchport still remains in auth-fail/guest vlan, which is the Quarantine VLAN(655). Switch Sample Config: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius ! aaa authentication dot1x default group radius dot1x system-auth-control ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout tx-period 10 dot1x max-reauth-req 1 dot1x reauthentication dot1x guest-vlan 655 dot1x auth-fail vlan 655 spanning-tree portfast spanning-tree bpduguard enable Please what could be wrong? I want to have the switchport change from VALN 655 to VLAN 10 after successful Host Checker test is ran. Please Help... Thanks! Id. ... View more