12-22-2005 05:37 AM - edited 03-09-2019 01:26 PM
I have been banging my head with this. I am attempting to set up a NAC test environment. I have ACS 4.0 running and configured, a Trend Polict Server running and configured and a 2811 with version 12.4(3a) advanced security. I have an end-station running XP Pro SP 2, CTA 2.0 with 802.1x client.
CTA is not being detected on the end-device. I have tried CTA v1.0.55, CTA 2.0.0.30 and two different workstations. There is no firewall running on the end machine, it is simply XP Pro, SP2 and CTA, nothing else and I stopped the firewall service built into XP.
Attached is my router config in regard to NAC and also a debug output.
From the end of the debug output I get connected via my 'clientless' config. Any input would be appreciated.
12-23-2005 07:44 AM
My friend, i have a cup of this installation. Evething works fine with ACS 3.3 and th CTA 1.53 ( this come with TrendMicro officescan 6.5 and 7.0). You can reach me to my mail.
Now i am testing the new NAC 2 with ACS 4.0, CTA 2 and catalyst 2950 but i can solve it.
You can enable the debug from the CTA client to view any problem.
Enjoy it
Leo
12-23-2005 10:59 AM
Thanks for the response. I actually fixed the issue a couple of hours ago. The problem ended up being the DEFAULT_INTERFACE_ACL. I permit eapoudp from any to 172.16.0.0 and it worked. I thought the fact the I was permitting all of ip to 172.16.199.0 (segment that the ACS server resides on) would allow the eapoudp traffic. Perhaps the eapoudp traffic does not flow directly from the workstation to the ACS server, therefor limiting it to the one segment caused the issue. Now it appears as though I have a problem with the cert, the ACS server has the following error in the failed attempts - EAP-TLS OR PEAP AUTHENTICATION FAILED DURING SSL HANDSHAKE. Any thoughts on this error. I used the generate and install self-signed cert option, placed the cert in the /certs directory where the CTA install file was on the workstation. During the install the cert was imported successfully.
Kevin
12-26-2005 04:26 AM
kevin, you have to permit always by default access-list trafic to the ACS and to Antivirus server, for example officcescan working in the port 8080 (this is if you have a problem, and the machine was blocked, this machine can access to the antivirus server to solve the problem installing or upgrading the software).
I hve the same problem with CTA 2, Try deploying the CTA 1 agent from the officescan console. You have to install the certificate first (always from the officescan web console).
you can enable debug in the workstation, look the file ctalog....
Cisco Trust Agent Version 1.0.53.0
Copyright © 2003 Cisco Systems, Inc. All Rights Reserved. Trust Agent Type(s):
Windows, WinNT Running on: 5.0.2195
1 16:21:43.809 09/21/2005 Sev=Warning/3 NetTrans/0xA3100014
EAPoUDP session 7: Invalid message ID, expecting: 0xb2dbb99d, received 0xb2dbb99b
2 16:22:22.028 09/21/2005 Sev=Info/5 PEAP/0x63400009
PEAP module initialization success!
3 16:22:22.059 09/21/2005 Sev=Info/5 PEAP/0x6340000B
PEAP processing begun
4 16:22:22.075 09/21/2005 Sev=Info/4 EAPTLV/0x63500005
Begin EAP-TLV processing
5
take care. Leo leo4888@hotmail.com
12-30-2005 08:33 AM
I have everything working as far as CTA 2.0 communicationg with the ACS 4.0 server. I have it validating OS, Service Pack, CTA version, etc. However, I cannot get validation of Trend credentials to work. This occurs if I use an internal policy or external policy. No AV credentails are being passed to the ACS server. Anybody have any thoughts?
12-30-2005 04:46 PM
Perhaps the Trend policy server only recognizes CTA 1.0.53 since that's what it installs? 2.0 may be too new for it.
01-04-2006 08:02 AM
That's what I was thinking also, but Trend claims 7.0 works with CTA 2.0.
03-21-2007 12:33 PM
Its my understanding you have to have all the following posture plugins for cta to posture and remediate trend. They can be found on the trend external posture server install. Hope this helps.
? C:\Program Files\Common Files\PostureAgent\Plugins\Install\TmAbPpAct.exe
? C:\Program Files\Common Files\PostureAgent\Plugins\Install\tmdbg20.dll
? C:\Program Files\Common Files\PostureAgent\Plugins\Install\loadhttp.dll
? C:\Program Files\Common Files\PostureAgent\Plugins\TmAbPp.dll
? C:\Program Files\Common Files\PostureAgent\Plugins\tmabpp.inf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide