NAC problem

davila_jc · ‎03-31-2006

I have problem with nac 2 and acs 4.0, this is the conf in the switch 3560:

aaa new-model

aaa authentication login default group radius local

aaa authentication eou default group radius

aaa authorization auth-proxy default group radius

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

ip admission name nac eapoudp

ip admission name NAC-L2-IP eapoudp

ip admission name NAC-L2-IP-Bypass eapoudp bypass

ip admission name NAC-L3-IP eapoudp list EoU-ACL

!

ip dhcp snooping

ip device tracking

!

eou allow clientless

eou timeout hold-period 60

eou timeout status-query 60

eou timeout revalidation 60

eou logging

interface FastEthernet0/23

switchport mode access

ip access-group EoU-ACL in

spanning-tree portfast

ip admission NAC-L2-IP

ip access-list extended EoU-ACL

permit udp any any eq 21862

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit ip any host 10.0.0.6

deny ip any any

radius-server attribute 8 include-in-access-req

radius-server host 10.0.0.6 auth-port 1645 acct-port 1646 key cisco123

radius-server source-ports 1645-1646

radius-server vsa send authentication

Connect pc to port 23 and not happen nothing.

HarrytheBrain · ‎04-04-2006

in my eyes there is no mistake in your switch config.

ist there any entry in the log of your cta, or in the failed attempts of the ACS ?

For example SSL handshake Error or something similar.

Also should check if there is any firewall active on the client (windows firewall for example)

davila_jc · ‎04-05-2006

this is the message error in acs:

EAP-TLS or PEAP authentication failed during SSL handshake

this is the switch:

LSW1_Simulacion#sh eou all

-------------------------------------------------------------------------

Address Interface AuthType Posture-Token Age(min)

-------------------------------------------------------------------------

10.215.140.5 FastEthernet0/23 EAP ------- 25

HarrytheBrain · ‎04-06-2006

> EAP-TLS or PEAP authentication failed during SSL handshake

ok, thats what i expected.

This means your CTA and the ACS couldn't build the tunnel with the certificate.

For that i would know if your ACS has a self-signed or a certificate from a CA. I think you have one from a CA ??

If so, you surely already have the ACS Certificate installed on the Client.

But now install the CA Certificate too, and try again. (with the mmc snap-in certificates or the content in IE, as root ca of course)

harry

davila_jc · ‎04-06-2006

I have the certificate installed in my machine and running.

brford · ‎04-23-2006

Is the certificate installed in the user context or the system context? Chances are the certificate ahs been installed by a user other than administrator. You need to use the Microsoft MMC Certificate console to make sure that it's installed in the correct context.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

mnlatif · ‎04-26-2006

You need to install the ACS Root Certificate (3rd Party Root Certificate, if ACS is using a 3rd Party Certificate) to the Trust Agent Store respository, which is different from the Machine\User repository managed by the MMC Snap-in.

From the Trust Agent directory use

ctaCert.exe /add "c:\" /store "Root"

Naman