Hi Peter Comeaux,
Referring to the NAC setup in my diagram, after I placed the client on the same side as ACS and Trend Servers, I made the following modifications to the previously working router config:
--------------------------------------
!
identity profile eapoudp
device authorize ip-address policy exemptpol
device authorize ip-address policy exemptpol
identity policy exemptpol
access-group exempt-acl
!
!
interface FastEthernet0/0
description --- Server-side network ---
ip access-group 110 in
ip admission TEST-NAC
!
!
ip access-list extended exempt-acl
permit ip any any
!
access-list 110 permit ip any any log-input
!
--------------------------------------
I turned on the following debug commands on the router and enabled CTA logging ("ctalogd enable") on the Win2K notebook.
- debug eou all
- debug radius authentication
- debug radius brief
- debug eap all
When the Win2K notebook continuously pinged the host on the other side of the router, the following were observed:
(1) The pings got thru (because of ACL 110) but there was no debug output at all.
(2) "show eou all" showed no entries.
(3) The CTA log file on the Win2K notebook did not have any new logs.
(4) No entries in Passed Authentications or Failed Attempts logs on ACS.
(5) No entries in Client Validation Log on Trend Policy Server.
(6) "clear eou all" and "clear ip admission cache *" did not help.
Is this some sort of known limitation of NAC, i.e client cannot be on the same side as ACS & Trend servers? Are you able to confirm this? Most of the NAC examples on Cisco website show the client on different network from the servers.
Attached is NAC Operational Detail which I hope it can give you more clues. I'm not able to explain the lab results based on the theory.
Please help.
Thank you.
B.Rgds,
Lim TS
