Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC - NAD not querying ACS etc

Hi

I have been reading the threads on NAC, but only one of them was similar to my issue. Unfortunately, the suggestions in there did not work. Hence this post.

SCENARIO: I am setting up a test lab for NAC deployment for one of our clients. I am using the following devices:

NAD - Cisco 2811 with 12.4(5) Advanced IP Services (see below)

AAA Policy Server - Cisco ACS 3.3(1)

AV Policy Server - Trend Micro OfficeScan 6.5

Client - CTA v1.0

Simple set up - 2 subnets, client on one (connected via crossover directly to fa0/1 of the router), subnet y.y.y.X, trying to gain access to z.z.z.X subnet. IP admission statement and default ACL on fa0/1 (client side) with the follwing statements for radius server:

aaa authentication eou default enable group radius

radius-server host a.b.c.d auth-port 1645 acct-port 1646

radius-server key xxxxxxxxx

IP admission statement for NAC:

ip admission name TEST eapoudp inactivity-time 60 list 101

where list 101 specifies traffic from anywhere trying to get to z.z.z.X subnet.

PROBLEM:

Here is an output of the debug that I have been getting:

*Nov 4 17:31:20.319: eou_auth 192.168.50.100: during state eou_hello, got event 5(eouHelloResponse)

*Nov 4 17:31:20.319: @@@ eou_auth 192.168.50.100: eou_hello -> eou_client

*Nov 4 17:31:20.319: %EOU-6-CTA: IP=192.168.50.100| CiscoTrustAgent=DETECTED

*Nov 4 17:31:20.319: eou-ev:192.168.50.100: msg = 21(eventEouEapStart)

*Nov 4 17:31:20.319: eou_auth 192.168.50.100: during state eou_client, got event 12(eouEapStart)

*Nov 4 17:31:20.319: @@@ eou_auth 192.168.50.100: eou_client -> eou_client

*Nov 4 17:31:20.319: eou-ev:Starting Retransmit timer 3(192.168.50.100)

*Nov 4 17:31:20.319: EAPoUDP (tx) Flags:0 Ver=1 opcode=3 Len=25 MsgId=3518633116 Assoc ID=1213161541

*Nov 4 17:31:20.319: Dumping TLV contents

*Nov 4 17:31:20.319: TLV M:1 R:0 Type=COOKIE PAYLOAD Length=12

3F8E59A0: 1B1DCAE0 C96300AA 747FE33A ..J`Ic.*t.c:

3F8E59B0:

*Nov 4 17:31:20.323: TLV M:1 R:0 Type=EAP Payload Length=5

*Nov 4 17:31:20.323: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1

3F8E59B0: 01010005 01 .....

*Nov 4 17:31:20.323: EAPoUDP (rx) Flags:128 Ver=1 opcode=3 Len=9 MsgId=3518633116 Assoc ID=454937312

*Nov 4 17:31:20.323: Dumping TLV contents

*Nov 4 17:31:20.323: TLV M:1 R:0 Type=EAP Payload Length=5

*Nov 4 17:31:20.323: EAP code: 0x2 id: 0x1 length: 0x0005 type: 0x1

3F4004C0: 02010005 01 .....

*Nov 4 17:31:20.323: eou_auth 192.168.50.100: during state eou_client, got event 14(eouEapResponse)

*Nov 4 17:31:20.323: @@@ eou_auth 192.168.50.100: eou_client -> eou_server

*Nov 4 17:31:20.323: eou-ev:Starting AAA timer 60(192.168.50.100)

*Nov 4 17:31:20.327: eou_auth 192.168.50.100: during state eou_server, got event 17(eouAuthServerFail)

*Nov 4 17:31:20.327: @@@ eou_auth 192.168.50.100: eou_server -> eou_fail

*Nov 4 17:31:20.327: %EOU-6-AUTHTYPE: IP=192.168.50.100| AuthType=EAP

The line "during state eou_server, got event 17(eouAuthServerFail)" is what is worrying me. I do a show aaa server and find no attempts are made to send to the ACS. I turn on Network Monitor on the ACS and there are no packets sent from the NAD to the ACS, not even broadcast. They are both on the same subnet.

I am scratching my head a fair bit with this one now. Can anyone point me in the correct direction?

PS I have tried several different versions of IOS, all of which say they support NAC and have not advisories against them that refer to NAC.

3 REPLIES
New Member

Re: NAC - NAD not querying ACS etc

Hello

I have try the same thing and i can tell i had problem with cta certificate (peap) to acs.

look in the acs Failed Attempts for ssl error.

New Member

Re: NAC - NAD not querying ACS etc

Thanks for your reply, axfood.

I checked the ACS, and I did not see any failed attempts for SSL error. In fact, I do not see any failed attempts at all (probably related to the fact that the network monitor is not showing any packets coming from the router (NAD) to the ACS.

I also think it has something to do with the CTA certificate, but just trying to work out what it is and how to fix it!!!!!!!

New Member

Re: NAC - NAD not querying ACS etc

Hi All

OK, well, I have gone back to basics with my NAC configuration. But I am still encountering the same errors. I am attaching a copy of my router config (with all the sensitive info blotted out).

Can anyone help? I am pretty sure that I have got all the correct certificates in the correct places and have got the policy server and the officescan server set to go. But, it never seems to get that far!! There always seems to be something that is stopping the router from sending anything to the AAA server. If anyone can point out my stupid mistake (if there is one) I would be most grateful!

Rgds

Marc

140
Views
0
Helpful
3
Replies
CreatePlease login to create content