Hello Edward,

Thanks for the reply. I created the cert to the service IP of the untrusted interface.

Do you see a certificate prompt after you get an ip on your client?

Could you attach the agent logs here so that i can see if i can figure out anything?

I hope you only have static routes on your CAS and no managed subnets.

have you enabled L3 support on your CAS?

Hello Edward,

Yes I see the cert prompt (since it is still self-signed-cert).

Yes I only static routes and don't use the managed subnets.

L3 support is already enabled.

I will have to get back to you on the client log.

Can you think of any other thing that would prevent the login offer?

As soon as you get the certificate prompt on the client do you install it, you should, especially as it is a Self-signed one.

The agent logs will show whether the swiss communication is occuring.

have you tried logging in using web login? Does it work? do you get a redirection to a login page when you try to go to www from the client ?

Hello James,

Yes I install the cert.

Web login and web agent work without any issue.

The windows agent is the one that won't pop-up to offer login.

Any other idea?

So this means your Traffic flow is good and client can reach the CAS.

The issue is with the agent.

What is the OS you are running,

the CAM version and the agent version?

Hello James,

Thanks for the reply.

The OS is Win 7. CAM/CAS/Agent Version is 4.7.2.

I attached the Log File captured from the agent and a packet capture run at the client.

The CAS untrust IP is 10.22.40.10

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/473rn.html#wp606982

Could you check this link out.

I am not sure wrehether it concerns you or not.

I am looking into your logs and i see the client does not recognize the certified authority that certified your CAS.

HttpSendRequestA returns error (12045): The function is unfamiliar with the Certificate Authority that generated the server's certificate

Try one thing-

Manually take the CAS certificate that is self signed and install it on the Windows 7 PC.

See if it helps.

Could you clarify a few things?

What do these point to?

1. tennas04.medcoenergi.com-? Is this your CAS DNS name?

2. 172.17.77.16-i believe this is your client's ip

3. 172.17.77.1-i believe this is your client's default gateway

Note:
The ACL for AUTH VLAN should allow TCP/UDP 8905 to CAS untrusted interface while ACL for ACCESS VLAN should block TCP/UDP 8905 to CAS untrusted interface for 4.7.0 and later L3 OOB deployment using ACL.

Hello Edward,

1. Yes, tennas04.medcoenergi.com is CAS DNS name?

2. Yes, 172.17.77.16 is the client's ip for unauthenticated network

3. Yes, 172.17.77.1 is the client's default gateway

I have unchecked the config in Internet Explorer that "Check for Server Certificate Revocation", but the issue still there. The agent won't pop-up.

Please advise.

Hello Edward,

We just integrated the real cert for the systems so there is no more cert warning but the issue still there.

Attached is the recent agent log.

Btw, how do you read the agent log? How did you know that there was a cert warning in the agent log?

Hi,

We have access to the log decoder which decodes the logs...

Let me have a look at these logs and see if i find anything different.

Regards

eddy

Hi,

This is a completely different PC i suppose.

As now i see this:

[sev=info][func=GetOSType]: OS version = WINDOWS_7_ENTERPRISE

[sev=debug][func=IsOs_Wow64]: Wow64 directory does not exist

What language OS are you using here?

The NAC is recognizing the OS , but i see it failing to recognize it for 64.

Is this a 32 bit OS that you are using?

On another note:

This is what i see..

Probe Discovery URL of tennas04.medcoenergi.com with HTTPS

CrackUrl: host = tennas04.medcoenergi.com path = /auth/discovery user =  port = 8905 scheme = 4 flags = 8388608

The HTTP response header for the message is:   HTTP/1.1 200

Discovery URL returns CAS address tennas04.medcoenergi.com

Probe CAS tennas04.medcoenergi.com with HTTPS

CrackUrl: host = tennas04.medcoenergi.com path = /auth/swiss user =  port = 8905 scheme = 4 flags = 8388608

The HTTP response header for the message is:   HTTP/1.1 200

Successfully set up SwissCrypto for Triple DES with key index 1024772050

SWISS exchange changed from HTTPS to UDP, server tennas04.medcoenergi.com, SYNC flag is not set

SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c  172.24.36.205|00:1e:ec:49:c8:f7

Resend SWISS UDP request, resend count 1

SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c  172.24.36.205|00:1e:ec:49:c8:f7

Resend SWISS UDP request, resend count 2

SwissRunner sent a Swiss request to address tennas04.medcoenergi.com, port 8906, OP type 9, event ID 2, IP/Mac list '0.0.0.0|00:1f:3c:89:84:4c  172.24.36.205|00:1e:ec:49:c8:f7

Resend SWISS UDP request, resend count 3

All 3 resends of SWISS request with op_type 9 have failed, give up

this 8906 is failing, dues to which you dont see a pop-up.

Check if there is a firewall in between, if you are using ACLs anywhere check if 8906 UDP is allowed.

There is some routing Issue here it seems.