NAC seeing MAC authentication as PAP on some Windows End-Systems

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Greetings,

Another mysterious problem...

Testing a deployment of NAC (6.3) on a B5 environment (latest FW), for some odd reason, some ESs are displayed using PAP as authentication on NAC Manager while others shows MAC(PAP) as used (and worked well in NMS 5).

They don't use Machine Authentication, just MAC (for Workstations) and 802.1x for users.

I'm getting a lots of calls about ESs with problems connecting to the network, and almost in all cases, the refered ES shows authenticated by PAP. The only way to make it work again is to disconnect the ES network cable and reconnect it... Now the user can logon and work...

I've already created a rule to PAP auth exactly the same as MAC(PAP) auth, just to NAC apply the appropriate role to the ES.

It seems to be a Windows problem, but it worked before the upgrade to 6.3 without issues.

Any ideas?

Best regards,

-Leo
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,232 Points 2k badge 2x thumb
  • anxious

Posted 3 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,442 Points 5k badge 2x thumb
Hi,

I would suggest to capture the radius authentication requests and compare those two = MAC(PAP) and PAP.

You can also enable debug on the NAC-GW and see what is in the log then.

if the radius request is correct in both cases => the NAC is guilty.
If the radius request is different in each case => the switch is guilty.

You can always contact GTAC for help.

Regards

Zdenek