Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAC problem

I have problem with nac 2 and acs 4.0, this is the conf in the switch 3560:

aaa new-model

aaa authentication login default group radius local

aaa authentication eou default group radius

aaa authorization auth-proxy default group radius

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius


aaa session-id common

ip admission name nac eapoudp

ip admission name NAC-L2-IP eapoudp

ip admission name NAC-L2-IP-Bypass eapoudp bypass

ip admission name NAC-L3-IP eapoudp list EoU-ACL


ip dhcp snooping

ip device tracking



eou allow clientless

eou timeout hold-period 60

eou timeout status-query 60

eou timeout revalidation 60

eou logging

interface FastEthernet0/23

switchport mode access

ip access-group EoU-ACL in

spanning-tree portfast

ip admission NAC-L2-IP

ip access-list extended EoU-ACL

permit udp any any eq 21862

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit ip any host

deny ip any any

radius-server attribute 8 include-in-access-req

radius-server host auth-port 1645 acct-port 1646 key cisco123

radius-server source-ports 1645-1646

radius-server vsa send authentication

Connect pc to port 23 and not happen nothing.

New Member

Re: NAC problem

in my eyes there is no mistake in your switch config.

ist there any entry in the log of your cta, or in the failed attempts of the ACS ?

For example SSL handshake Error or something similar.

Also should check if there is any firewall active on the client (windows firewall for example)

New Member

Re: NAC problem

this is the message error in acs:

EAP-TLS or PEAP authentication failed during SSL handshake

this is the switch:

LSW1_Simulacion#sh eou all


Address Interface AuthType Posture-Token Age(min)

------------------------------------------------------------------------- FastEthernet0/23 EAP ------- 25

New Member

Re: NAC problem

> EAP-TLS or PEAP authentication failed during SSL handshake

ok, thats what i expected.

This means your CTA and the ACS couldn't build the tunnel with the certificate.

For that i would know if your ACS has a self-signed or a certificate from a CA. I think you have one from a CA ??

If so, you surely already have the ACS Certificate installed on the Client.

But now install the CA Certificate too, and try again. (with the mmc snap-in certificates or the content in IE, as root ca of course)


New Member

Re: NAC problem

I have the certificate installed in my machine and running.

Cisco Employee

Re: NAC problem

Is the certificate installed in the user context or the system context? Chances are the certificate ahs been installed by a user other than administrator. You need to use the Microsoft MMC Certificate console to make sure that it's installed in the correct context.

New Member

Re: NAC problem

You need to install the ACS Root Certificate (3rd Party Root Certificate, if ACS is using a 3rd Party Certificate) to the Trust Agent Store respository, which is different from the Machine\User repository managed by the MMC Snap-in.

From the Trust Agent directory use

ctaCert.exe /add "c:\" /store "Root"