Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
7
Replies

CTA Not Detected

kmelchior
Level 1
Level 1

‎12-22-2005 05:37 AM - edited ‎03-09-2019 01:26 PM

I have been banging my head with this. I am attempting to set up a NAC test environment. I have ACS 4.0 running and configured, a Trend Polict Server running and configured and a 2811 with version 12.4(3a) advanced security. I have an end-station running XP Pro SP 2, CTA 2.0 with 802.1x client.

CTA is not being detected on the end-device. I have tried CTA v1.0.55, CTA 2.0.0.30 and two different workstations. There is no firewall running on the end machine, it is simply XP Pro, SP2 and CTA, nothing else and I stopped the firewall service built into XP.

Attached is my router config in regard to NAC and also a debug output.

From the end of the debug output I get connected via my 'clientless' config. Any input would be appreciated.

Labels:
Preview file
8 KB
0 Helpful
7 Replies 7

lmilher_2
Level 1
Level 1

‎12-23-2005 07:44 AM

My friend, i have a cup of this installation. Evething works fine with ACS 3.3 and th CTA 1.53 ( this come with TrendMicro officescan 6.5 and 7.0). You can reach me to my mail.

Now i am testing the new NAC 2 with ACS 4.0, CTA 2 and catalyst 2950 but i can solve it.

You can enable the debug from the CTA client to view any problem.

Enjoy it

Leo

0 Helpful

kmelchior
Level 1
Level 1
In response to lmilher_2

‎12-23-2005 10:59 AM

Thanks for the response. I actually fixed the issue a couple of hours ago. The problem ended up being the DEFAULT_INTERFACE_ACL. I permit eapoudp from any to 172.16.0.0 and it worked. I thought the fact the I was permitting all of ip to 172.16.199.0 (segment that the ACS server resides on) would allow the eapoudp traffic. Perhaps the eapoudp traffic does not flow directly from the workstation to the ACS server, therefor limiting it to the one segment caused the issue. Now it appears as though I have a problem with the cert, the ACS server has the following error in the failed attempts - EAP-TLS OR PEAP AUTHENTICATION FAILED DURING SSL HANDSHAKE. Any thoughts on this error. I used the generate and install self-signed cert option, placed the cert in the /certs directory where the CTA install file was on the workstation. During the install the cert was imported successfully.

Kevin

0 Helpful

lmilher_2
Level 1
Level 1
In response to kmelchior

‎12-26-2005 04:26 AM

kevin, you have to permit always by default access-list trafic to the ACS and to Antivirus server, for example officcescan working in the port 8080 (this is if you have a problem, and the machine was blocked, this machine can access to the antivirus server to solve the problem installing or upgrading the software).

I hve the same problem with CTA 2, Try deploying the CTA 1 agent from the officescan console. You have to install the certificate first (always from the officescan web console).

you can enable debug in the workstation, look the file ctalog....

Cisco Trust Agent Version 1.0.53.0

Copyright © 2003 Cisco Systems, Inc. All Rights Reserved. Trust Agent Type(s):

Windows, WinNT Running on: 5.0.2195

1 16:21:43.809 09/21/2005 Sev=Warning/3 NetTrans/0xA3100014

EAPoUDP session 7: Invalid message ID, expecting: 0xb2dbb99d, received 0xb2dbb99b

2 16:22:22.028 09/21/2005 Sev=Info/5 PEAP/0x63400009

PEAP module initialization success!

3 16:22:22.059 09/21/2005 Sev=Info/5 PEAP/0x6340000B

PEAP processing begun

4 16:22:22.075 09/21/2005 Sev=Info/4 EAPTLV/0x63500005

Begin EAP-TLV processing

5

take care. Leo leo4888@hotmail.com

0 Helpful

kmelchior
Level 1
Level 1
In response to lmilher_2

‎12-30-2005 08:33 AM

I have everything working as far as CTA 2.0 communicationg with the ACS 4.0 server. I have it validating OS, Service Pack, CTA version, etc. However, I cannot get validation of Trend credentials to work. This occurs if I use an internal policy or external policy. No AV credentails are being passed to the ACS server. Anybody have any thoughts?

0 Helpful

tsteger1
Level 8
Level 8
In response to kmelchior

‎12-30-2005 04:46 PM

Perhaps the Trend policy server only recognizes CTA 1.0.53 since that's what it installs? 2.0 may be too new for it.

0 Helpful

kmelchior
Level 1
Level 1
In response to tsteger1

‎01-04-2006 08:02 AM

That's what I was thinking also, but Trend claims 7.0 works with CTA 2.0.

0 Helpful

mitcheaves
Level 1
Level 1
In response to kmelchior

‎03-21-2007 12:33 PM

Its my understanding you have to have all the following posture plugins for cta to posture and remediate trend. They can be found on the trend external posture server install. Hope this helps.

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\TmAbPpAct.exe

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\tmdbg20.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\loadhttp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\TmAbPp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\tmabpp.inf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents