topic Re: NAC problem in Network Security

NAC problem

davila_jc — Fri, 21 Feb 2020 08:49:03 GMT

I have problem with nac 2 and acs 4.0, this is the conf in the switch 3560:

aaa new-model

aaa authentication login default group radius local

aaa authentication eou default group radius

aaa authorization auth-proxy default group radius

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

aaa session-id common

ip admission name nac eapoudp

ip admission name NAC-L2-IP eapoudp

ip admission name NAC-L2-IP-Bypass eapoudp bypass

ip admission name NAC-L3-IP eapoudp list EoU-ACL

ip dhcp snooping

ip device tracking

eou allow clientless

eou timeout hold-period 60

eou timeout status-query 60

eou timeout revalidation 60

eou logging

interface FastEthernet0/23

switchport mode access

ip access-group EoU-ACL in

spanning-tree portfast

ip admission NAC-L2-IP

ip access-list extended EoU-ACL

permit udp any any eq 21862

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit ip any host 10.0.0.6

deny ip any any

radius-server attribute 8 include-in-access-req

radius-server host 10.0.0.6 auth-port 1645 acct-port 1646 key cisco123

radius-server source-ports 1645-1646

radius-server vsa send authentication

Connect pc to port 23 and not happen nothing.

Re: NAC problem

HarrytheBrain — Tue, 04 Apr 2006 07:37:34 GMT

in my eyes there is no mistake in your switch config.

ist there any entry in the log of your cta, or in the failed attempts of the ACS ?

For example SSL handshake Error or something similar.

Also should check if there is any firewall active on the client (windows firewall for example)

Re: NAC problem

davila_jc — Wed, 05 Apr 2006 21:08:51 GMT

this is the message error in acs:

EAP-TLS or PEAP authentication failed during SSL handshake

this is the switch:

LSW1_Simulacion#sh eou all

-------------------------------------------------------------------------

Address Interface AuthType Posture-Token Age(min)

-------------------------------------------------------------------------

10.215.140.5 FastEthernet0/23 EAP ------- 25

Re: NAC problem

HarrytheBrain — Thu, 06 Apr 2006 07:48:09 GMT

> EAP-TLS or PEAP authentication failed during SSL handshake

ok, thats what i expected.

This means your CTA and the ACS couldn't build the tunnel with the certificate.

For that i would know if your ACS has a self-signed or a certificate from a CA. I think you have one from a CA ??

If so, you surely already have the ACS Certificate installed on the Client.

But now install the CA Certificate too, and try again. (with the mmc snap-in certificates or the content in IE, as root ca of course)

harry

Re: NAC problem

davila_jc — Thu, 06 Apr 2006 12:17:29 GMT

I have the certificate installed in my machine and running.

Re: NAC problem

brford — Sun, 23 Apr 2006 15:42:32 GMT

Is the certificate installed in the user context or the system context? Chances are the certificate ahs been installed by a user other than administrator. You need to use the Microsoft MMC Certificate console to make sure that it's installed in the correct context.

Re: NAC problem

mnlatif — Wed, 26 Apr 2006 20:30:30 GMT

You need to install the ACS Root Certificate (3rd Party Root Certificate, if ACS is using a 3rd Party Certificate) to the Trust Agent Store respository, which is different from the Machine\User repository managed by the MMC Snap-in.

From the Trust Agent directory use

ctaCert.exe /add "c:\" /store "Root"

Naman