05-25-2011 02:47 AM - edited 02-21-2020 04:21 AM
Hello,
I have a Layer 3 Out-of-Band Real-IP-Gateway deployment using VLAN ACL.
How come some endpoint won't pop-up? I have made sure the Discovery Host points to the untrusted interface.
It looks like the static route added don't do anything.
Please advise.
05-25-2011 07:19 AM
To what ip is your CAS x509 certificate generated?
05-25-2011 09:51 AM
Hello Edward,
Thanks for the reply. I created the cert to the service IP of the untrusted interface.
05-25-2011 10:14 AM
Do you see a certificate prompt after you get an ip on your client?
Could you attach the agent logs here so that i can see if i can figure out anything?
I hope you only have static routes on your CAS and no managed subnets.
have you enabled L3 support on your CAS?
05-25-2011 10:28 AM
Hello Edward,
Yes I see the cert prompt (since it is still self-signed-cert).
Yes I only static routes and don't use the managed subnets.
L3 support is already enabled.
I will have to get back to you on the client log.
Can you think of any other thing that would prevent the login offer?
05-25-2011 10:40 AM
As soon as you get the certificate prompt on the client do you install it, you should, especially as it is a Self-signed one.
The agent logs will show whether the swiss communication is occuring.
have you tried logging in using web login? Does it work? do you get a redirection to a login page when you try to go to www from the client ?
05-25-2011 10:45 AM
Hello James,
Yes I install the cert.
Web login and web agent work without any issue.
The windows agent is the one that won't pop-up to offer login.
Any other idea?
05-25-2011 02:02 PM
So this means your Traffic flow is good and client can reach the CAS.
The issue is with the agent.
What is the OS you are running,
the CAM version and the agent version?
05-26-2011 09:54 AM
05-26-2011 12:02 PM
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/473rn.html#wp606982
Could you check this link out.
I am not sure wrehether it concerns you or not.
I am looking into your logs and i see the client does not recognize the certified authority that certified your CAS.
HttpSendRequestA returns error (12045): The function is unfamiliar with the Certificate Authority that generated the server's certificate
Try one thing-
Manually take the CAS certificate that is self signed and install it on the Windows 7 PC.
See if it helps.
05-26-2011 12:44 PM
Could you clarify a few things?
What do these point to?
1. tennas04.medcoenergi.com-? Is this your CAS DNS name?
2. 172.17.77.16-i believe this is your client's ip
3. 172.17.77.1-i believe this is your client's default gateway
Note:
The ACL for AUTH VLAN should allow TCP/UDP 8905 to CAS untrusted interface while ACL for ACCESS VLAN should block TCP/UDP 8905 to CAS untrusted interface for 4.7.0 and later L3 OOB deployment using ACL.
05-26-2011 08:58 PM
Hello Edward,
1. Yes, tennas04.medcoenergi.com is CAS DNS name?
2. Yes, 172.17.77.16 is the client's ip for unauthenticated network
3. Yes, 172.17.77.1 is the client's default gateway
I have unchecked the config in Internet Explorer that "Check for Server Certificate Revocation", but the issue still there. The agent won't pop-up.
Please advise.
05-27-2011 02:14 AM
05-27-2011 07:43 AM
Hi,
We have access to the log decoder which decodes the logs...
Let me have a look at these logs and see if i find anything different.
Regards
eddy
05-27-2011 08:49 AM
Hi,
This is a completely different PC i suppose.
As now i see this:
[sev=info][func=GetOSType]: OS version = WINDOWS_7_ENTERPRISE
[sev=debug][func=IsOs_Wow64]: Wow64 directory does not exist
What language OS are you using here?
The NAC is recognizing the OS , but i see it failing to recognize it for 64.
Is this a 32 bit OS that you are using?
On another note:
This is what i see..
Probe Discovery URL of tennas04.medcoenergi.com with HTTPS
CrackUrl: host = tennas04.medcoenergi.com path = /auth/discovery user = port = 8905 scheme = 4 flags = 8388608
The HTTP response header for the message is: HTTP/1.1 200
Discovery URL returns CAS address tennas04.medcoenergi.com
Probe CAS tennas04.medcoenergi.com with HTTPS
CrackUrl: host = tennas04.medcoenergi.com path = /auth/swiss user = port = 8905 scheme = 4 flags = 8388608
The HTTP response header for the message is: HTTP/1.1 200
Successfully set up SwissCrypto for Triple DES with key index 1024772050
SWISS exchange changed from HTTPS to UDP, server tennas04.medcoenergi.com, SYNC flag is not set
SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c 172.24.36.205|00:1e:ec:49:c8:f7
Resend SWISS UDP request, resend count 1
SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c 172.24.36.205|00:1e:ec:49:c8:f7
Resend SWISS UDP request, resend count 2
SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c 172.24.36.205|00:1e:ec:49:c8:f7
Resend SWISS UDP request, resend count 3
All 3 resends of SWISS request with op_type 9 have failed, give up
this 8906 is failing, dues to which you dont see a pop-up.
Check if there is a firewall in between, if you are using ACLs anywhere check if 8906 UDP is allowed.
There is some routing Issue here it seems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide