Non-compliant VLAN ID not working with NPS

We have implemented 802.1x authentication using NPS and a cisco 3560 Switch.
Authentication works and the NPS protection features work when enabling/disabling firewall requirements, however the Client machine is not moved to VLAN 2 as per the non-compliant network policy.

I have tried understanding the NPS log files however I can't seem to figure out which entry specifies the VLAN ID. At this stage, I am unsure whether the issue is with the switch or the NPS environment. An extract of a non-compliant log file entry is below

"ServerName","IAS",04/24/2009,10:21:44,2,,"Username",,,,"255.255.255.255",,,,9,"IP Address","TEST-SW",,,,,1,2,11,"NAP 802.1X (Wired) Noncompliant",0,"311 1 fe80::1477:8d67:6fd7:71fe 04/23/2009 02:24:48 753",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,33554445,33554438,,,,"0x0232",,,,,,,,"0x01424C554546495245",,,"NAP 802.1X (Wired)",1,,,,
BluefireMSAsked:
Who is Participating?
 
BluefireMSAuthor Commented:
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TEST-SW
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 informational

aaa new-model
!
!
aaa authentication login default local
aaa authentication login console local
aaa authentication dot1x default group radius
!
!
!
aaa session-id common
clock timezone Sydney 10
clock summer-time Sydney recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
system mtu routing 1500
vtp mode transparent
ip subnet-zero
no ip source-route
no ip gratuitous-arps
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 10.2.2.1
ip dhcp excluded-address 10.3.3.1
!
ip dhcp pool NO_AUTH
   network 10.2.2.0 255.255.255.0
   dns-server 61.88.88.88
   default-router 10.2.2.1
!
ip dhcp pool GUEST
   network 10.3.3.0 255.255.255.0
   dns-server 61.88.88.88
   default-router 10.3.3.1
!
!
!
!
crypto pki trustpoint TP-self-signed-1440832768
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1440832768
 revocation-check none
 rsakeypair TP-self-signed-1440832768
!
!
crypto pki certificate chain TP-self-signed-1440832768
 certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343430 38333237 3638301E 170D3933 30333031 30303031
  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343038
  33323736 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A58A 7EC5B3EA D549288A C353FE0A 896C57DC E014E172 4EDB72F2 E494A7B7
  705DDD5D 53014AAA 7EC71BF5 7688BB8B A3264E6F 5E0F826B DCF3CB81 5FAF4347
  D3FDC9F8 606EB2AE 9A12028B 99ABB2D0 C3495B62 1EEF9C67 984FAB30 5D07D987
  B2E35A32 6B4C659A DCD16E2A 3E8DC750 DB60754D E7B6E3FC 791421D9 0127D2C2
  5A5D0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 08544553 542D5357 2E301F06 03551D23 04183016 8014412D
  A5CAEAB1 E55DCC4B 6A2A8E7F 6B7962D5 2258301D 0603551D 0E041604 14412DA5
  CAEAB1E5 5DCC4B6A 2A8E7F6B 7962D522 58300D06 092A8648 86F70D01 01040500
  03818100 4C4E61CD 635BBA94 6A9047B0 AC5E74D6 A369541B B7ACE639 78E8DF63
  A95E8E61 9151CB09 6FF52127 3F20886B D2D42E72 2357CB5B 4C516CBA F903C1F3
  2F88BDF4 675F761E DAC98356 4A4F5274 D9255919 AC4DD83D 2381BB29 481E8647
  E2DD0499 E3CD5836 9415DAE0 FC01EB31 07C0DF41 CD3E083C CADB7870 6378EF20 EB808AF4
  quit
dot1x system-auth-control
dot1x guest-vlan supplicant
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 180
!
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
 name vlan_2
!
vlan 3
 name vlan_3
!
ip tcp synwait-time 10
!
!
!
interface GigabitEthernet0/1
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x timeout quiet-period 5
 dot1x reauthentication
 dot1x guest-vlan 3
 dot1x auth-fail vlan 2
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/3
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/4
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/5
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/6
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/7
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/8
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/9
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/10
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/11
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/12
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/13
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/14
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/15
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/16
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/17
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/18
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/19
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/20
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/21
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/22
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/23
 switchport mode access
 storm-control broadcast level 20.00
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root
!
interface GigabitEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 no cdp enable
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 10.27.7.205 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
interface Vlan2
 ip address 10.2.2.1 255.255.255.0
!
interface Vlan3
 ip address 10.3.3.1 255.255.255.0
!
ip default-gateway 10.27.7.254
ip classless
no ip http server
ip http secure-server
!
!
no logging trap
access-list 10 permit any log
no cdp run
radius-server host 10.100.7.226 auth-port 1645 acct-port 1646 key 7 <insert key here>
0
 
donmanrobbCommented:
Can you post your switch configuration?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.