cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
286
Views
0
Helpful
2
Replies

NAC

costin.vilcu
Level 1
Level 1

hi everyone

I am getting annoyed getting NAC to work.

I just want to make it work with a client, an ACS and a 3550sw or 2611XM router.

I installed the necessary IOS on the router, i installed CTA on client and i think i have done all the wright configurations in the ACS (i did all the steps wrote in a documentation file). But the only thing that works is that the router querry the client and sees that it has or not the CTA. ( this i saw from: debug eapoudp:

Mar 23 15:55:41 2.2.2.1 44: *Mar 2 07:29:50.143: %AP-6-POSTURE_STATE_CHANGE: IP=2.2.2.2| STATE=POSTURE ESTAB

Mar 23 15:55:42 2.2.2.1 45: *Mar 2 07:29:51.285: %EOU-6-CTA: IP=2.2.2.2| CiscoTrustAgent=DETECTED

Mar 23 15:55:42 2.2.2.1 46: *Mar 2 07:29:51.553: %EOU-6-AUTHTYPE: IP=2.2.2.2| AuthType=EAP

Mar 23 16:58:11 2.2.2.1 47: *Mar 2 08:32:19.854: %EOU-6-SESSION: IP=2.2.2.2| HOST=REMOVED| Interface=FastEthernet0/1

Mar 23 17:17:35 2.2.2.1 48: *Mar 2 08:51:45.549: %AP-6-POSTURE_START_VALIDATION: IP=2.2.2.2| Interface=FastEthernet0/1

Mar 23 17:17:36 2.2.2.1 49: *Mar 2 08:51:45.553: %AP-6-POSTURE_STATE_CHANGE: IP=2.2.2.2| STATE=POSTURE ESTAB

Mar 23 17:17:36 2.2.2.1 50: *Mar 2 08:51:45.553: %EOU-6-SESSION: IP=2.2.2.2| HOST=DETECTED| Interface=FastEthernet0/1

) Where am i doing wrong or what did i miss?

Can you show me a sample config or something ?

Thanks

2 Replies 2

HarrytheBrain
Level 1
Level 1

this are relevant parts(!) of my config for NAC-L2-IP:

aaa new-model

aaa authentication eou default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

!

aaa session-id common

vtp mode transparent

...

ip admission name NAC-L2-IP eapoudp

!

ip dhcp snooping vlan 1

ip device tracking

.......

.......

interface FastEthernet0/1

switchport mode access

ip access-group interface_acl in

spanning-tree portfast

ip admission NAC-L2-IP

........

........

interface Vlan1

ip address xxx.xxx.xxx.xxx 255.255.255.0

.....

.....

ip http server

.....

.....

ip access-list extended interface_acl

remark Allow EAPoUDP

permit udp any any eq 21862

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark Allow HTTP access to update server

remark Allow ICMP for test purposes

permit icmp any any

permit tcp any host xxx.xxx.xxx.xxx eq port

remark Implicit Deny

deny ip any any

ip access-list extended quarantine_url_redir_acl

deny tcp any host xxx.xxx.xxx.xxx eq www

permit tcp any any eq www

!

radius-server attribute 8 include-in-access-req

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key YourKey

radius-server vsa send authentication

......

......

post yours, if this couldn't help

it's a config from a 3560 but should be no different,

my IOS Version is ipbase SEE.

is there any "failed attempt" entry in the acs log ?

or log from cta ?

another tip, look if windows firewall is turned on, you should turn it off while testing.

mfg

harry

thanks Harry

the sw config is ok (is like yours)

i think is a problem with the settings in ACS. Anyway as i saw on the forum i sould first install ACS 4.0 and i will start do the config again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: