03-24-2006 01:14 AM - edited 02-21-2020 12:47 AM
hi everyone
I am getting annoyed getting NAC to work.
I just want to make it work with a client, an ACS and a 3550sw or 2611XM router.
I installed the necessary IOS on the router, i installed CTA on client and i think i have done all the wright configurations in the ACS (i did all the steps wrote in a documentation file). But the only thing that works is that the router querry the client and sees that it has or not the CTA. ( this i saw from: debug eapoudp:
Mar 23 15:55:41 2.2.2.1 44: *Mar 2 07:29:50.143: %AP-6-POSTURE_STATE_CHANGE: IP=2.2.2.2| STATE=POSTURE ESTAB
Mar 23 15:55:42 2.2.2.1 45: *Mar 2 07:29:51.285: %EOU-6-CTA: IP=2.2.2.2| CiscoTrustAgent=DETECTED
Mar 23 15:55:42 2.2.2.1 46: *Mar 2 07:29:51.553: %EOU-6-AUTHTYPE: IP=2.2.2.2| AuthType=EAP
Mar 23 16:58:11 2.2.2.1 47: *Mar 2 08:32:19.854: %EOU-6-SESSION: IP=2.2.2.2| HOST=REMOVED| Interface=FastEthernet0/1
Mar 23 17:17:35 2.2.2.1 48: *Mar 2 08:51:45.549: %AP-6-POSTURE_START_VALIDATION: IP=2.2.2.2| Interface=FastEthernet0/1
Mar 23 17:17:36 2.2.2.1 49: *Mar 2 08:51:45.553: %AP-6-POSTURE_STATE_CHANGE: IP=2.2.2.2| STATE=POSTURE ESTAB
Mar 23 17:17:36 2.2.2.1 50: *Mar 2 08:51:45.553: %EOU-6-SESSION: IP=2.2.2.2| HOST=DETECTED| Interface=FastEthernet0/1
) Where am i doing wrong or what did i miss?
Can you show me a sample config or something ?
Thanks
03-24-2006 05:34 AM
this are relevant parts(!) of my config for NAC-L2-IP:
aaa new-model
aaa authentication eou default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
vtp mode transparent
...
ip admission name NAC-L2-IP eapoudp
!
ip dhcp snooping vlan 1
ip device tracking
.......
.......
interface FastEthernet0/1
switchport mode access
ip access-group interface_acl in
spanning-tree portfast
ip admission NAC-L2-IP
........
........
interface Vlan1
ip address xxx.xxx.xxx.xxx 255.255.255.0
.....
.....
ip http server
.....
.....
ip access-list extended interface_acl
remark Allow EAPoUDP
permit udp any any eq 21862
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark Allow HTTP access to update server
remark Allow ICMP for test purposes
permit icmp any any
permit tcp any host xxx.xxx.xxx.xxx eq port
remark Implicit Deny
deny ip any any
ip access-list extended quarantine_url_redir_acl
deny tcp any host xxx.xxx.xxx.xxx eq www
permit tcp any any eq www
!
radius-server attribute 8 include-in-access-req
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key YourKey
radius-server vsa send authentication
......
......
post yours, if this couldn't help
it's a config from a 3560 but should be no different,
my IOS Version is ipbase SEE.
is there any "failed attempt" entry in the acs log ?
or log from cta ?
another tip, look if windows firewall is turned on, you should turn it off while testing.
mfg
harry
03-29-2006 06:56 AM
thanks Harry
the sw config is ok (is like yours)
i think is a problem with the settings in ACS. Anyway as i saw on the forum i sould first install ACS 4.0 and i will start do the config again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: