I have been reading the threads on NAC, but only one of them was similar to my issue. Unfortunately, the suggestions in there did not work. Hence this post.
SCENARIO: I am setting up a test lab for NAC deployment for one of our clients. I am using the following devices:
NAD - Cisco 2811 with 12.4(5) Advanced IP Services (see below)
AAA Policy Server - Cisco ACS 3.3(1)
AV Policy Server - Trend Micro OfficeScan 6.5
Client - CTA v1.0
Simple set up - 2 subnets, client on one (connected via crossover directly to fa0/1 of the router), subnet y.y.y.X, trying to gain access to z.z.z.X subnet. IP admission statement and default ACL on fa0/1 (client side) with the follwing statements for radius server:
aaa authentication eou default enable group radius
The line "during state eou_server, got event 17(eouAuthServerFail)" is what is worrying me. I do a show aaa server and find no attempts are made to send to the ACS. I turn on Network Monitor on the ACS and there are no packets sent from the NAD to the ACS, not even broadcast. They are both on the same subnet.
I am scratching my head a fair bit with this one now. Can anyone point me in the correct direction?
PS I have tried several different versions of IOS, all of which say they support NAC and have not advisories against them that refer to NAC.
I checked the ACS, and I did not see any failed attempts for SSL error. In fact, I do not see any failed attempts at all (probably related to the fact that the network monitor is not showing any packets coming from the router (NAD) to the ACS.
I also think it has something to do with the CTA certificate, but just trying to work out what it is and how to fix it!!!!!!!
OK, well, I have gone back to basics with my NAC configuration. But I am still encountering the same errors. I am attaching a copy of my router config (with all the sensitive info blotted out).
Can anyone help? I am pretty sure that I have got all the correct certificates in the correct places and have got the policy server and the officescan server set to go. But, it never seems to get that far!! There always seems to be something that is stopping the router from sending anything to the AAA server. If anyone can point out my stupid mistake (if there is one) I would be most grateful!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :