we are setting up test environment for 802.1x for wireless users using NAC and WiNG wireless solution before implementing to production.
we have 4 groups:
we only used 1 SSID and dynamically assigned the VLAN based on this groups.
Corporate - VLAN 5
Consultants - VLAN 10
Guest - VLAN 15
BYOD - VLAN 20
Corporate requirements are the device is domain computer and the user is domain user (LDAP)
Consultants - user is domain user (LDAP) and MAC address white listed in NAC
Guest - Local users in NAC only
BYOD - user is domain user (LDAP) and any device
Corporate,Consultants and BYOD is working very well. the rule hits, LDAP is working fine, authentication is passed and dynamically assigned to right VLAN based on groups.
but we have issue with Guest Group. in screenshot below, user hit the right rule (Guest1_Wireless)
below screenshot is the Authentication results, user also passed the authentication
but the user is still rejected due to "the authentication is rejected by radius server" (proxy). as you can see the screenshot above, the authentication is already passed with "Authentication request locally" so no need to forward the authentication request to radius server, but NAC still forward it to radius server which will naturally reject the request.
why NAC still forward the authentication request to Radius server? it's already hit the first Authentication rule which is "Authenticate request locally".