There is a a problem with quarantining users in the next scenario:
We have a windows 2003 domain controller (with IAS service on it), and a number of users, assigned to role groups (2 groups total in this case). Each group has its own vlan configured on a Cisco Catalyst 2960 TT-L switch. There`s also a separate quarantine vlan.
We need to get users assigned to different vlans, according to their group membership, on logon, if they are compliant to HI policy, and to quarantine vlan if they are not.
Dynamic VLAN assignment for users works fine, after IAS is configured based on following document:
http://www.microsoft.com/downloads/details.aspx?familyid=C9ED3609-49FC-439B-92F4-266B187CAE5A&displaylang=en
But a problem is that LAN enforcer doesn`t switch port to quarantine vlan if user is non “HI-compoliant”. The authentication mode for the snac agent on client PC is set to 802.1x.
Could you provide some directions for solving this task?
Here goes Catalyst config (it`s 12.2(4) IOS version), where VLAN 110 is production VLAN and VLAN 120 is Quarantine VLAN:
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 10
dot1x timeout reauth-period 60
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport access vlan 110
switchport mode access
!
interface GigabitEthernet0/2
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan110
ip address 192.168.110.2 255.255.255.0
ip helper-address 192.168.110.10
no ip route-cache
!
interface Vlan120
no ip address
ip helper-address 192.168.110.10
no ip route-cache
!
ip default-gateway 192.168.110.1
ip http server
ip http secure-server
radius-server host 192.168.110.3 auth-port 1812 acct-port 1813
radius-server retransmit 10
radius-server key 123