NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

Unanswered Question
Jun 12th, 2008
User Badges:


I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;

Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)

Cisco 1811 router (inter-vlan routing)

Cisco Secure ACS (90 day trial) 4.2

CTA 2.1.103


Windows XP SP3 client machine

So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.


aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

Client port;

interface FastEthernet0/1

switchport mode access

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jasonhumes Wed, 06/18/2008 - 07:24
User Badges:


I was asking specifically about the NAC Framework 2.1, not the Appliance...but either way, I figured out the problem. I was installing the CSSC client without first running the CSSC Management utility to generate the configuration.xml file. Once I ran through, generated the .xml and also the bundled installer, copied the installer to the client, and reinstalled the CSSC from the generated file...and bingo, NAC-L2-802.1x is working!!! Thanks for all your help.

jasonhumes Fri, 06/20/2008 - 12:11
User Badges:

The link you provided is in regards to Cisco ACS 3.x, not 4.x which is quite different in configuration. I've resolved the issue, as stated above, it was the missing configuration.xml file that was breaking the whole solution. Thanks for your time.



This Discussion