I'm currently working on a test implementation of Cisco NAC with McAfee.
Everything works, the client is put into the right VLAN, etc.
But unfortunately, every few minutes (it happens in all the VLANs so it's not a specific VLAN problem or so) the Trust Agents closes the connection and the user needs to re-entry his credentials (name and password).
In the ACS logs on "failed attempts", the following appears:
message-type: authen failed
auth-failure-code: could not connect to external policy server - timeout error.
reason: a token was not returned from a policy. policy = ePO (this is the external ePo server policy).
Another strange thing is that, although several users are succesfully logged-in, there aren't any users shown at Reports > logged-in users...
I'm working with an internal ACS database for the user credentials.
A bit fuzzy on the detail but I remember NAC has an audit feature that can authenticate someone and allow connection but then work in the background. It does this by granting a short session timeout which forces a re-authentiation.
If you can increase the logging level in CSRadius so you can see the outbound attributes. If you see a timeout of around 120 seconds this could be it.
REgarding the logged on user list... this was designed around dial. authen... acct start... acct stop. If you RADIUS messages not in that order it stops working. Baically it tries to track the status of each device port and gets upset if it gets conflicting messages.
About the time-outs, it wasn't the audit feature because i do not use an audit service (yet).
However, on the "external posture validation server" page, I've raised the time-out parameter and this seems to help a lot. Now it rarely times out.
About the logged-on user list, thank you for letting me know, I understand what you're saying but I have no idea how to change the order of those RADIUS messages. But it's not that important that they aren't shown, I was just wondering why ;-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...