I have been banging my head with this. I am attempting to set up a NAC test environment. I have ACS 4.0 running and configured, a Trend Polict Server running and configured and a 2811 with version 12.4(3a) advanced security. I have an end-station running XP Pro SP 2, CTA 2.0 with 802.1x client.
CTA is not being detected on the end-device. I have tried CTA v1.0.55, CTA 22.214.171.124 and two different workstations. There is no firewall running on the end machine, it is simply XP Pro, SP2 and CTA, nothing else and I stopped the firewall service built into XP.
Attached is my router config in regard to NAC and also a debug output.
From the end of the debug output I get connected via my 'clientless' config. Any input would be appreciated.
Thanks for the response. I actually fixed the issue a couple of hours ago. The problem ended up being the DEFAULT_INTERFACE_ACL. I permit eapoudp from any to 172.16.0.0 and it worked. I thought the fact the I was permitting all of ip to 172.16.199.0 (segment that the ACS server resides on) would allow the eapoudp traffic. Perhaps the eapoudp traffic does not flow directly from the workstation to the ACS server, therefor limiting it to the one segment caused the issue. Now it appears as though I have a problem with the cert, the ACS server has the following error in the failed attempts - EAP-TLS OR PEAP AUTHENTICATION FAILED DURING SSL HANDSHAKE. Any thoughts on this error. I used the generate and install self-signed cert option, placed the cert in the /certs directory where the CTA install file was on the workstation. During the install the cert was imported successfully.
kevin, you have to permit always by default access-list trafic to the ACS and to Antivirus server, for example officcescan working in the port 8080 (this is if you have a problem, and the machine was blocked, this machine can access to the antivirus server to solve the problem installing or upgrading the software).
I hve the same problem with CTA 2, Try deploying the CTA 1 agent from the officescan console. You have to install the certificate first (always from the officescan web console).
you can enable debug in the workstation, look the file ctalog....
I have everything working as far as CTA 2.0 communicationg with the ACS 4.0 server. I have it validating OS, Service Pack, CTA version, etc. However, I cannot get validation of Trend credentials to work. This occurs if I use an internal policy or external policy. No AV credentails are being passed to the ACS server. Anybody have any thoughts?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...