03-31-2006 03:13 PM - edited 02-21-2020 12:49 AM
I have problem with nac 2 and acs 4.0, this is the conf in the switch 3560:
aaa new-model
aaa authentication login default group radius local
aaa authentication eou default group radius
aaa authorization auth-proxy default group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
ip admission name nac eapoudp
ip admission name NAC-L2-IP eapoudp
ip admission name NAC-L2-IP-Bypass eapoudp bypass
ip admission name NAC-L3-IP eapoudp list EoU-ACL
!
ip dhcp snooping
ip device tracking
!
!
eou allow clientless
eou timeout hold-period 60
eou timeout status-query 60
eou timeout revalidation 60
eou logging
interface FastEthernet0/23
switchport mode access
ip access-group EoU-ACL in
spanning-tree portfast
ip admission NAC-L2-IP
ip access-list extended EoU-ACL
permit udp any any eq 21862
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit ip any host 10.0.0.6
deny ip any any
radius-server attribute 8 include-in-access-req
radius-server host 10.0.0.6 auth-port 1645 acct-port 1646 key cisco123
radius-server source-ports 1645-1646
radius-server vsa send authentication
Connect pc to port 23 and not happen nothing.
04-04-2006 12:37 AM
in my eyes there is no mistake in your switch config.
ist there any entry in the log of your cta, or in the failed attempts of the ACS ?
For example SSL handshake Error or something similar.
Also should check if there is any firewall active on the client (windows firewall for example)
04-05-2006 02:08 PM
this is the message error in acs:
EAP-TLS or PEAP authentication failed during SSL handshake
this is the switch:
LSW1_Simulacion#sh eou all
-------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
-------------------------------------------------------------------------
10.215.140.5 FastEthernet0/23 EAP ------- 25
04-06-2006 12:48 AM
> EAP-TLS or PEAP authentication failed during SSL handshake
ok, thats what i expected.
This means your CTA and the ACS couldn't build the tunnel with the certificate.
For that i would know if your ACS has a self-signed or a certificate from a CA. I think you have one from a CA ??
If so, you surely already have the ACS Certificate installed on the Client.
But now install the CA Certificate too, and try again. (with the mmc snap-in certificates or the content in IE, as root ca of course)
harry
04-06-2006 05:17 AM
I have the certificate installed in my machine and running.
04-23-2006 08:42 AM
Is the certificate installed in the user context or the system context? Chances are the certificate ahs been installed by a user other than administrator. You need to use the Microsoft MMC Certificate console to make sure that it's installed in the correct context.
04-26-2006 01:30 PM
You need to install the ACS Root Certificate (3rd Party Root Certificate, if ACS is using a 3rd Party Certificate) to the Trust Agent Store respository, which is different from the Machine\User repository managed by the MMC Snap-in.
From the Trust Agent directory use
ctaCert.exe /add "c:\
Naman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide