Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CTA Not Detected

I have been banging my head with this. I am attempting to set up a NAC test environment. I have ACS 4.0 running and configured, a Trend Polict Server running and configured and a 2811 with version 12.4(3a) advanced security. I have an end-station running XP Pro SP 2, CTA 2.0 with 802.1x client.

CTA is not being detected on the end-device. I have tried CTA v1.0.55, CTA and two different workstations. There is no firewall running on the end machine, it is simply XP Pro, SP2 and CTA, nothing else and I stopped the firewall service built into XP.

Attached is my router config in regard to NAC and also a debug output.

From the end of the debug output I get connected via my 'clientless' config. Any input would be appreciated.

Community Member

Re: CTA Not Detected

My friend, i have a cup of this installation. Evething works fine with ACS 3.3 and th CTA 1.53 ( this come with TrendMicro officescan 6.5 and 7.0). You can reach me to my mail.

Now i am testing the new NAC 2 with ACS 4.0, CTA 2 and catalyst 2950 but i can solve it.

You can enable the debug from the CTA client to view any problem.

Enjoy it


Community Member

Re: CTA Not Detected

Thanks for the response. I actually fixed the issue a couple of hours ago. The problem ended up being the DEFAULT_INTERFACE_ACL. I permit eapoudp from any to and it worked. I thought the fact the I was permitting all of ip to (segment that the ACS server resides on) would allow the eapoudp traffic. Perhaps the eapoudp traffic does not flow directly from the workstation to the ACS server, therefor limiting it to the one segment caused the issue. Now it appears as though I have a problem with the cert, the ACS server has the following error in the failed attempts - EAP-TLS OR PEAP AUTHENTICATION FAILED DURING SSL HANDSHAKE. Any thoughts on this error. I used the generate and install self-signed cert option, placed the cert in the /certs directory where the CTA install file was on the workstation. During the install the cert was imported successfully.


Community Member

Re: CTA Not Detected

kevin, you have to permit always by default access-list trafic to the ACS and to Antivirus server, for example officcescan working in the port 8080 (this is if you have a problem, and the machine was blocked, this machine can access to the antivirus server to solve the problem installing or upgrading the software).

I hve the same problem with CTA 2, Try deploying the CTA 1 agent from the officescan console. You have to install the certificate first (always from the officescan web console).

you can enable debug in the workstation, look the file ctalog....

Cisco Trust Agent Version

Copyright © 2003 Cisco Systems, Inc. All Rights Reserved. Trust Agent Type(s):

Windows, WinNT Running on: 5.0.2195

1 16:21:43.809 09/21/2005 Sev=Warning/3 NetTrans/0xA3100014

EAPoUDP session 7: Invalid message ID, expecting: 0xb2dbb99d, received 0xb2dbb99b

2 16:22:22.028 09/21/2005 Sev=Info/5 PEAP/0x63400009

PEAP module initialization success!

3 16:22:22.059 09/21/2005 Sev=Info/5 PEAP/0x6340000B

PEAP processing begun

4 16:22:22.075 09/21/2005 Sev=Info/4 EAPTLV/0x63500005

Begin EAP-TLV processing


take care. Leo

Community Member

Re: CTA Not Detected

I have everything working as far as CTA 2.0 communicationg with the ACS 4.0 server. I have it validating OS, Service Pack, CTA version, etc. However, I cannot get validation of Trend credentials to work. This occurs if I use an internal policy or external policy. No AV credentails are being passed to the ACS server. Anybody have any thoughts?


Re: CTA Not Detected

Perhaps the Trend policy server only recognizes CTA 1.0.53 since that's what it installs? 2.0 may be too new for it.

Community Member

Re: CTA Not Detected

That's what I was thinking also, but Trend claims 7.0 works with CTA 2.0.

Community Member

Re: CTA Not Detected

Its my understanding you have to have all the following posture plugins for cta to posture and remediate trend. They can be found on the trend external posture server install. Hope this helps.

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\TmAbPpAct.exe

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\tmdbg20.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\Install\loadhttp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\TmAbPp.dll

? C:\Program Files\Common Files\PostureAgent\Plugins\tmabpp.inf

CreatePlease to create content