Hi,

I'm working on NAC I,and I plan to implement NAC II right after the NAC I will end.But I have two concerns.

1. I had configured ACS v 3.3 on the windows 2000 server.The ACS should check the Cisco secure database or a Windows database(active directory) to authenticate users.I had enable PEAP and EAP-TLS on the ACS, with a self signed certificate. The certificate had been succesfully import on the client (Windows XP pro SP2) while installing Cisco Trust Agent v 1.0.55. I had also enable machine authentication with PEAP and EAP-TLS. But I still have the following error:"Auth type not supported by External DB". I would like to have some suggestion to fix that problem.I had attached the failled attemps log that I had.

2. I would like to know how the NAC I and NAC II fit toghter.Which directive I can follow to implement the NAC II when the NAC I is already working.

Regards.

Hello,

We are busy implementating NAC phase two. Does this work with ACS 3.3 or do we need to upgrade to 4? We are using 802.1x wired client with CTA 2.0 to make things work with 2950 switches. It seems however that the CTA is not sending any data to our ACS. If an upgrade on ACS is needed I understand this otherwise what could be the problem? We level 15 logging on the CTA 2.0. The logfiles don't say much to me. The only error that I see now and then is:

"Failed to open Registry Key, error code 13"

Kind regards,

Rutger

- Is there also an ACS 4.0 (final,eval?) download already available?

- Where can I find the TrendMicro AVP file for the ACS 4.0? At the TrendMicro website i can't find it. I use the following file (got it from the BETA ACS 4.0 documentation). The values dosen't appear at the ACS server logfile :(. On the new CTA 2.0.30 i can see in the log that the information is sent to the ACS.

[attr#0]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00001

attribute-name=Application-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#1]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00002

attribute-name=System-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#2]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00003

attribute-name=Software-Name

attribute-profile=in out

attribute-type=string

[attr#3]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00004

attribute-name=Software-ID

attribute-profile=in out

attribute-type=unsigned integer

[attr#4]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00005

attribute-name=Software-Version

attribute-profile=in out

attribute-type=version

[attr#5]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00006

attribute-name=Scan-Engine-Version

attribute-profile=in out

attribute-type=version

[attr#6]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00007

attribute-name=Dat-Version

attribute-profile=in out

attribute-type=version

[attr#7]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00008

attribute-name=Dat-Date

attribute-profile=in out

attribute-type=date

[attr#8]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00009

attribute-name=Protection-Enabled

attribute-profile=in out

attribute-type=unsigned integer

[attr#9]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00010

attribute-name=Action

attribute-profile=out

attribute-type=string

I have a VPN 3005 concentrator running 4.7 code with ACS 4.0 as the RADIUS server, performing NAC with a test client running CTA 2.0 and Cisco VPN client 4.7. I had this working under ACS 3.3/CTA1.0 but with the new Network Access Profiles in ACS 4.0 I am having some difficulty with the Downloadable ACLs. I am using a group/password (preshared key) to connect to the IPSec session, followed by Windows Database authentication. This is working, as well as the Posture Validation which is checking Cisco:PA:PA-Version > 2.0.0.0. What I am encountering is that the Windows authentication occurs seperately from the Posture Validation, so I am essentially running through the Network Access Profiles twice, and being assigned a different Downloadable ACL each time. The effect is that I can not apply an ACL to a Group without it being overwritten by the ACL assigned to the Posture event. Is there a way to merge the events so that I can assign the ACL by a combination of Group and SPT?

Good morning Reza Malekzadeh,

I have a very simple question. What would you recommand or what is todays most secure way of accessing devices such as routers, switches to be able to manage them ?

This by using telnet ? SSH ? TACAS ?

SNMP with Ciscoworks, is safe ? Should we be using something else than SNMP for management through CiscoWorks ?

Many thansk for your quick response.

Hi,

Just encountered this problem, when tried to replicated GUEST server, we received following messages:

get the message "An error
occured while configuring replication"

the application logs shows the following 
2010-08-03 07:51:12 CDT LOG    +-------------------------------------
2010-08-03 07:51:12 CDT LOG    twin 1.2 starting up...
2010-08-03 07:51:12 CDT LOG     log mode is 0
2010-08-03 07:51:12 CDT LOG     local port=5432
2010-08-03 07:51:12 CDT LOG     local database=gapdb
2010-08-03 07:51:12 CDT LOG     log_table_max_size=1000
2010-08-03 07:51:12 CDT LOG     sleeptime=1000
2010-08-03 07:51:12 CDT LOG     use_timestamps=f
2010-08-03 07:51:12 CDT LOG    done
2010-08-03 07:51:12 CDT LOG    local config status is 0
2010-08-03 07:51:12 CDT FATAL  application has not yet configured twin
2010-08-03 07:51:12 CDT LOG    shutting down...
2010-08-03 07:51:12 CDT LOG    shutdown complete

also I could not find what the twin is and how to config it.

Any help will be appreciated

- Angela Yan