06-12-2008 12:09 PM - edited 02-21-2020 10:21 AM
Hi
I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
Cisco 1811 router (inter-vlan routing)
Cisco Secure ACS (90 day trial) 4.2
CTA 2.1.103
CSSC 5.1.0.39
Windows XP SP3 client machine
So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
Jason
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
Client port;
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
!
06-18-2008 07:21 AM
Use this Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3).
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html
06-18-2008 07:24 AM
Hi
I was asking specifically about the NAC Framework 2.1, not the Appliance...but either way, I figured out the problem. I was installing the CSSC client without first running the CSSC Management utility to generate the configuration.xml file. Once I ran through, generated the .xml and also the bundled installer, copied the installer to the client, and reinstalled the CSSC from the generated file...and bingo, NAC-L2-802.1x is working!!! Thanks for all your help.
06-20-2008 12:04 PM
You can refer to the below URL for future reference:
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
06-20-2008 12:11 PM
The link you provided is in regards to Cisco ACS 3.x, not 4.x which is quite different in configuration. I've resolved the issue, as stated above, it was the missing configuration.xml file that was breaking the whole solution. Thanks for your time.
Jason
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: