CTA Not Detected

Unanswered Question
Dec 22nd, 2005
User Badges:

I have been banging my head with this. I am attempting to set up a NAC test environment. I have ACS 4.0 running and configured, a Trend Polict Server running and configured and a 2811 with version 12.4(3a) advanced security. I have an end-station running XP Pro SP 2, CTA 2.0 with 802.1x client.


CTA is not being detected on the end-device. I have tried CTA v1.0.55, CTA 2.0.0.30 and two different workstations. There is no firewall running on the end machine, it is simply XP Pro, SP2 and CTA, nothing else and I stopped the firewall service built into XP.


Attached is my router config in regard to NAC and also a debug output.


From the end of the debug output I get connected via my 'clientless' config. Any input would be appreciated.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lmilher_2 Fri, 12/23/2005 - 07:44
User Badges:

My friend, i have a cup of this installation. Evething works fine with ACS 3.3 and th CTA 1.53 ( this come with TrendMicro officescan 6.5 and 7.0). You can reach me to my mail.

Now i am testing the new NAC 2 with ACS 4.0, CTA 2 and catalyst 2950 but i can solve it.

You can enable the debug from the CTA client to view any problem.

Enjoy it

Leo

kmelchior Fri, 12/23/2005 - 10:59
User Badges:

Thanks for the response. I actually fixed the issue a couple of hours ago. The problem ended up being the DEFAULT_INTERFACE_ACL. I permit eapoudp from any to 172.16.0.0 and it worked. I thought the fact the I was permitting all of ip to 172.16.199.0 (segment that the ACS server resides on) would allow the eapoudp traffic. Perhaps the eapoudp traffic does not flow directly from the workstation to the ACS server, therefor limiting it to the one segment caused the issue. Now it appears as though I have a problem with the cert, the ACS server has the following error in the failed attempts - EAP-TLS OR PEAP AUTHENTICATION FAILED DURING SSL HANDSHAKE. Any thoughts on this error. I used the generate and install self-signed cert option, placed the cert in the /certs directory where the CTA install file was on the workstation. During the install the cert was imported successfully.


Kevin

lmilher_2 Mon, 12/26/2005 - 04:26
User Badges:

kevin, you have to permit always by default access-list trafic to the ACS and to Antivirus server, for example officcescan working in the port 8080 (this is if you have a problem, and the machine was blocked, this machine can access to the antivirus server to solve the problem installing or upgrading the software).

I hve the same problem with CTA 2, Try deploying the CTA 1 agent from the officescan console. You have to install the certificate first (always from the officescan web console).

you can enable debug in the workstation, look the file ctalog....


Cisco Trust Agent Version 1.0.53.0

Copyright © 2003 Cisco Systems, Inc. All Rights Reserved. Trust Agent Type(s):

Windows, WinNT Running on: 5.0.2195


1 16:21:43.809 09/21/2005 Sev=Warning/3 NetTrans/0xA3100014

EAPoUDP session 7: Invalid message ID, expecting: 0xb2dbb99d, received 0xb2dbb99b


2 16:22:22.028 09/21/2005 Sev=Info/5 PEAP/0x63400009

PEAP module initialization success!


3 16:22:22.059 09/21/2005 Sev=Info/5 PEAP/0x6340000B

PEAP processing begun


4 16:22:22.075 09/21/2005 Sev=Info/4 EAPTLV/0x63500005

Begin EAP-TLV processing


5

take care. Leo [email protected]

kmelchior Fri, 12/30/2005 - 08:33
User Badges:

I have everything working as far as CTA 2.0 communicationg with the ACS 4.0 server. I have it validating OS, Service Pack, CTA version, etc. However, I cannot get validation of Trend credentials to work. This occurs if I use an internal policy or external policy. No AV credentails are being passed to the ACS server. Anybody have any thoughts?

tsteger1 Fri, 12/30/2005 - 16:46
User Badges:
  • Red, 2250 points or more

Perhaps the Trend policy server only recognizes CTA 1.0.53 since that's what it installs? 2.0 may be too new for it.

kmelchior Wed, 01/04/2006 - 08:02
User Badges:

That's what I was thinking also, but Trend claims 7.0 works with CTA 2.0.

mitcheaves Wed, 03/21/2007 - 12:33
User Badges:

Its my understanding you have to have all the following posture plugins for cta to posture and remediate trend. They can be found on the trend external posture server install. Hope this helps.


? C:\Program Files\Common Files\PostureAgent\Plugins\Install\TmAbPpAct.exe

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\tmdbg20.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\loadhttp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\TmAbPp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\tmabpp.inf


Actions

This Discussion