This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RADIUS request for username rejecting local password repository lookup

RADIUS request for username rejecting local password repository lookup

Go to solution
Anonymous
Not applicable

‎02-28-2020 10:29 AM

Hi,

Must have some configuration issue here but can’t see it.

Basically have Cisco ASA configured in NAC as per below.. Had the Switch type set to ‘Layer 2 Out-Of-Band’ but also ‘VPN’ as per below.

The ASA is authenticating VPN access requests via the NAC

a0507938c1bb4c548ac38ab5a867c8b8_0fe200ae-7df9-474c-aef7-ad4b6e4a40cf.png
a0507938c1bb4c548ac38ab5a867c8b8_48592a3d-b6a3-44ed-b86f-15d8d13fbe86.png

 

The image above shows the authentication rule in question with the red arrow. The location has the IP address of 10.110.3.244, which matches the source NAS from the captures below. Wasn’t too sure  what to set the authentication type to, so just left to ‘Any’ for now.

The local database has been configured with a different name then ‘Default’, and the account ‘mflammia’ created.

As can been seen by the logging below, the RADIUS request comes in with the username and password fields but seems to be being rejected because its missing the End-system MAC address?

Initially the request challenge was PAP, but subsequently changed it to MSChap, see second trace, but still being rejected due to the same error::

RADIUS client not standards-compliant. “Missing attributes: End-system MAC address, aaa_rule_index:9”

It seems the reason is the authentication is skipping over the rules and hitting the end,

To keep it simple I’ve also created the following rule, but still seems to skip over it to unregistered rule even though the authentication type MsChap and username mflammia match local repository?

Found this GTAC article that describes the problem, but can’t see how it helps in this situation:

https://extremeportal.force.com/ExtrArticleDetail?an=000061640

The Calling-Station ID is an IP address, and the NAS Port-Type is Virtual, as in the logs below.

Also made a change to the auth mapping to make it more simple:

a0507938c1bb4c548ac38ab5a867c8b8_d56b3542-9819-4fae-9018-518859166a2a.png
a0507938c1bb4c548ac38ab5a867c8b8_52933134-d7d3-4384-b29a-e0028ad37091.png
ASA-ClientType=3
Cisco-AVPair=audit-session-id=0a6e03f46e9b60005e5912ec
Cisco-AVPair=ip:source-ip=xx.xx.xx.xx
Cisco-AVPair=coa-push=true
NAS-IP-Address=10.110.3.244
MS-CHAP2-Response=000078D267B029F967E3A3F3ADB76EA215F700000000000000001952B537F87FE2ECD9F6B5C45427F5CD06CE257661614A5D
NAS-Port-Type=5
Source-Address=10.110.3.244
User-Name=mflammia
MS-CHAP-Challenge=583EBF08223E65EC4E10EF8F7AB54CEA
ASA-TunnelGroupName=TunnelGroup-Xcontrol
Called-Station-Id=00-00-00-00-00-00
NAS-Port=1855676416
Tunnel-Client-Endpoint=xx.xx.xx.xx
that match ALL the attributes defined in this inclusive RADIUS User Group: Contains IssuingCA-01:
called-station-id=.*device\.wifi
2020-02-28 13:17:32,177 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "NCC Contains IssuingCA-01" trying next rule.
2020-02-28 13:17:32,177 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Wired Username Viaem" testing: (6) criteria...
2020-02-28 13:17:32,177 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The Authentication Type: "MsCHAP" is not equal to or derived from the inclusive criteria: AUTH_8021X_EAP_TLS.
2020-02-28 13:17:32,177 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Wired Username Viaem" trying next rule.
2020-02-28 13:17:32,177 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Wired Username Inspire" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The Authentication Type: "MsCHAP" is not equal to or derived from the inclusive criteria: AUTH_8021X_EAP_TLS.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Wired Username Inspire" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Wired Username.Nottscc" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The Authentication Type: "MsCHAP" is not equal to or derived from the inclusive criteria: AUTH_8021X_EAP_TLS.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Wired Username.Nottscc" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) The rule: "Allow All Data Assessment" is not enabled, trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) The rule: "Allow All Data" is not enabled, trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Zone County Hall" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The Authentication Type: "MsCHAP" is not equal to or derived from the inclusive criteria: AUTH_8021X.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Zone County Hall" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Zone Bridgeford" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The Authentication Type: "MsCHAP" is not equal to or derived from the inclusive criteria: AUTH_8021X.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Zone Bridgeford" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Registration Denied Access" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Authentication Type: "MsCHAP" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The MAC Address: "null" did not match any values defined for this inclusive criteria.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Registration Denied Access" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Web Authenticated Users" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Authentication Type: "MsCHAP" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The MAC Address: "null" did not match any values defined for this inclusive criteria.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Web Authenticated Users" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Registration Pending Access" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Authentication Type: "MsCHAP" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) FAILED: The MAC Address: "null" did not match any values defined for this inclusive criteria.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request did NOT match the rule: "Registration Pending Access" trying next rule.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Rule: "Unregistered" testing: (6) criteria...
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Authentication Type: "MsCHAP" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Device Type with unknown MAC Address, IP Address, and Host Name matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The User Name: "mflammia" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Device Type with Switch IP: "10.110.3.244", Port Name: "", and SSID: "" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The Time: "Friday, February 28, 2020 1:17:32 PM GMT" matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.engine.context.NacEndSystemAccessRequest] (EacAAARequestHandler (Client: 127.0.0.1:33297):) PASSED: The unknown Operating System Name matches the inclusive any criteria evaluation.
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleListEvaluation] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Access request MATCHED the rule: "Unregistered", using profile: "Unregistered NAC Profile".
2020-02-28 13:17:32,178 INFO [com.enterasys.tesNb.server.engine.rule.NacRuleEngine] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Returning: Profile: Unregistered NAC Profile, Reject Authentication Reqeusts: false, Assessment Config: NULL, Portal: null, Session Timeout: N/A, Reason: Rule: "Unregistered", Zone:
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.rmi.AuthenticationManager] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Got ES authorization result: Rule: "Unregistered" with profile: Unregistered NAC Profile
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.rmi.AuthenticationManager] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Switch: 10.110.3.244 does not require the port (ReqStdAttrs: false, ForIpRes: false, ForReauth: false, DoesPostAuthDisc: false)
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:33297):) processRequest: rejecting request because: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.rmi.AuthenticationManager] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Matched AAA rule index: 9
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.rmi.AuthenticationManager] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Matched AAA rule index: 9
2020-02-28 13:17:32,178 DEBUG [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:33297):) processAuthenticationRequest: AAA rule index: 9, fall-through: false
2020-02-28 13:17:32,179 DEBUG [com.enterasys.tesNb.server.rmi.AuthenticationManager] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Resolving IP for EndSystem with MAC: because exState: NO_ERROR, performIpResForAssessOnly: false, profile: Unregistered NAC Profile
2020-02-28 13:17:32,179 INFO [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:33297):) Finished processing inner tunnel authentication request
2020-02-28 13:17:32,179 INFO [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:33297):) NAC AAA Response [ID:221, Command: Reject User(0x23), Version: NAC Version 6.2.0(10), Reject Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
, AAA rule index: 9, Fallthrough on auth failure: false
]
2020-02-28 13:17:32,179 DEBUG [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:33297):) getNacResponse for MAC: 00-00-00-00-00-00 => NAC AAA Response [ID:221, Command: Reject User(0x23), Version: NAC Version 6.2.0(10), Reject Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
, AAA rule index: 9, Fallthrough on auth failure: false
]

 

Logs below show the authentication using PAP, then changed to use MSCHAP:

 

2020-02-28 10:01:57,507: Info: (66) [etsnac nac_request_mgr] Make NAC authorize request - created request with request_info->auth_type PAP, request_info->user_name mflammia
2020-02-28 10:01:57,507: Debug: (66) [etsnac nac_request_mgr] Unable to find existing request manager instance.
2020-02-28 10:01:57,507: Info: (66) [etsnac nac_request_mgr] Make NAC authorize request - created request (auth_req->command 2)
2020-02-28 10:01:57,507: Info: (66) [etsnac connection_mgr] NAC AAA Request [ID: 66, Source IP: 10.110.3.244, Command: Authenticate & Authorize Request(0x02), prev_aaa_rule_index: -1, fall_through: 0]
(66) --- Request VPs ---
(66) User-Name = "mflammia"
(66) User-Password = *************
(66) NAS-Port = 1852203008
(66) Called-Station-Id = "xx.xx.xx.xx"
(66) Calling-Station-Id = "xx.xx.xx.xx"
(66) NAS-Port-Type = Virtual
(66) Tunnel-Client-Endpoint:0 = "xx.xx.xx.xx"
(66) NAS-IP-Address = 10.110.3.244
(66) Cisco-AVPair = "audit-session-id=0a6e03f46e6660005e58e515"
(66) Cisco-AVPair = "ip:source-ip=xx.xx.xx.xx"
(66) ASA-TunnelGroupName = "TunnelGroup-Xcontrol"
(66) ASA-ClientType = Clientless-SSL-VPN
(66) Cisco-AVPair = "coa-push=true"
2020-02-28 10:01:57,507: Debug: (66) [etsnac connection_mgr] Using authentication server connection ID: 31.
2020-02-28 10:01:57,507: Debug: (66) [etsnac connection_mgr] prev_aaa_rule_index: -1, fall_through: 0
2020-02-28 10:01:57,513: Info: (66) [etsnac connection_mgr] NAC AAA Response [ID: 66, Command: Reject User(0x23), Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address, aaa_rule_index: -1, fall_through: 0]
2020-02-28 10:01:57,513: Debug: (66) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
2020-02-28 10:01:57,513: Debug: (66) [etsnac] The AAA server says to reject.

 

2020-02-28 13:07:52,245: Debug: (214) [etsnac nac_request_mgr] Found MS-CHAP-Challenge attribute: 11, setting auth type to: MsCHAP
2020-02-28 13:07:52,245: Debug: (214) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 10.110.3.244
2020-02-28 13:07:52,245: Debug: [etsnac nac_request_mgr] generate hash, mac_address[4623311295]
2020-02-28 13:07:52,245: Debug: [etsnac nac_request_mgr] update hash, auth_type[MsCHAP]
2020-02-28 13:07:52,245: Debug: [etsnac nac_request_mgr] update hash, switch_ip[10.110.3.244]
2020-02-28 13:07:52,245: Debug: [etsnac nac_request_mgr] generate_nac_request_hash():hash=9E1179A5
2020-02-28 13:07:52,245: Info: (214) [etsnac nac_request_mgr] Make NAC authorize request - created request with request_info->auth_type MsCHAP, request_info->user_name mflammia
2020-02-28 13:07:52,245: Debug: (214) [etsnac nac_request_mgr] Unable to find existing request manager instance.
2020-02-28 13:07:52,245: Info: (214) [etsnac nac_request_mgr] Make NAC authorize request - created request (auth_req->command 2)
2020-02-28 13:07:52,245: Info: (214) [etsnac connection_mgr] NAC AAA Request [ID: 214, Source IP: 10.110.3.244, Command: Authenticate & Authorize Request(0x02), prev_aaa_rule_index: -1, fall_through: 0]
(214) --- Request VPs ---
(214) User-Name = "mflammia"
(214) NAS-Port = 1855512576
(214) Called-Station-Id = "xx.xx.xx.xx"
(214) Calling-Station-Id = "xx.xx.xx.xx"
(214) NAS-Port-Type = Virtual
(214) Tunnel-Client-Endpoint:0 = "xx.xx.xx.xx"
(214) MS-CHAP-Challenge = 0x997d4cffd668b9006b7d7a17bbfafff0
(214) MS-CHAP2-Response = 0x0000b3eac68d681ed68e89b9b3b8880d73a70000000000000000cc47796b7673bf410336f69697cf07b39a3e8b97ed66e0a7
(214) NAS-IP-Address = 10.110.3.244
(214) Cisco-AVPair = "audit-session-id=0a6e03f46e98e0005e5910a8"
(214) Cisco-AVPair = "ip:source-ip=xx.xx.xx.xx"
(214) ASA-TunnelGroupName = "TunnelGroup-Xcontrol"
(214) ASA-ClientType = Clientless-SSL-VPN
(214) Cisco-AVPair = "coa-push=true"
2020-02-28 13:07:52,246: Debug: (214) [etsnac connection_mgr] Using authentication server connection ID: 31.
2020-02-28 13:07:52,246: Debug: (214) [etsnac connection_mgr] prev_aaa_rule_index: -1, fall_through: 0
2020-02-28 13:07:52,249: Info: (214) [etsnac connection_mgr] NAC AAA Response [ID: 214, Command: Reject User(0x23), Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address, aaa_rule_index: 9, fall_through: 0]
2020-02-28 13:07:52,249: Debug: (214) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
2020-02-28 13:07:52,249: Debug: (214) [etsnac] The AAA server says to reject.

Many thanks in advance

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Anonymous
Not applicable

‎02-29-2020 12:19 PM

Raised a GTAC case in the end.

Upgrade to version 8.4 fixed the issue.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Anonymous
Not applicable

‎02-29-2020 12:19 PM

Raised a GTAC case in the end.

Upgrade to version 8.4 fixed the issue.

0 Kudos

Go to solution
Anonymous
Not applicable

‎02-28-2020 08:40 PM

Finally managed to get it to hit the right rule. Noticed my error in that I had to set the authentication method from 

MAC (MsChap), to just MsChap.

Issue is I’m still getting the same error?

 Not allowing username to be a MAC because the MAC address string: "80.4.205.105" does not match the username: "mflammia"
 Switch: 10.110.3.244 does not require the port (ReqStdAttrs: true, ForIpRes: false, ForReauth: false, DoesPostAuthDisc: false)
processRequest: rejecting request because: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
Command: Reject User(0x23), Version: NAC Version 6.2.0(10), Reject Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
getNacResponse for MAC: 00-00-00-00-00-00 => NAC AAA Response [ID:531, Command: Reject User(0x23), Version: NAC Version 6.2.0(10), Reject Reason: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address
 This is not an administrative request due to MAC: null, username: mflammia, MS-CHAP-Challenge Present, Tunnel-Client-Endpoint Present, NAS-Port-Type: 5

 

The ASA is passing username and password, which should be authenticating using the local password repository on NAC. The NAS Port-type is set to virtual, so why is it enforcing a MAC address?

1d15bbb652124fe388546502f17d2d82_102d9e45-cfd7-4604-98be-129b224880b2.png

 

0 Kudos
GTM-P2G8KFN