Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

Hi

I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;

Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)

Cisco 1811 router (inter-vlan routing)

Cisco Secure ACS (90 day trial) 4.2

CTA 2.1.103

CSSC 5.1.0.39

Windows XP SP3 client machine

So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.

Jason

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

Client port;

interface FastEthernet0/1

switchport mode access

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

!

4 REPLIES
Silver

Re: NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not work

Use this Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3).

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html

New Member

Re: NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not work

Hi

I was asking specifically about the NAC Framework 2.1, not the Appliance...but either way, I figured out the problem. I was installing the CSSC client without first running the CSSC Management utility to generate the configuration.xml file. Once I ran through, generated the .xml and also the bundled installer, copied the installer to the client, and reinstalled the CSSC from the generated file...and bingo, NAC-L2-802.1x is working!!! Thanks for all your help.

New Member

Re: NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not work

New Member

Re: NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not work

The link you provided is in regards to Cisco ACS 3.x, not 4.x which is quite different in configuration. I've resolved the issue, as stated above, it was the missing configuration.xml file that was breaking the whole solution. Thanks for your time.

Jason

207
Views
0
Helpful
4
Replies