Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
3
Replies

NAC - NAD not querying ACS etc

marcbutler
Level 1
Level 1

‎11-07-2005 09:24 AM - edited ‎02-21-2020 10:13 AM

Hi

I have been reading the threads on NAC, but only one of them was similar to my issue. Unfortunately, the suggestions in there did not work. Hence this post.

SCENARIO: I am setting up a test lab for NAC deployment for one of our clients. I am using the following devices:

NAD - Cisco 2811 with 12.4(5) Advanced IP Services (see below)

AAA Policy Server - Cisco ACS 3.3(1)

AV Policy Server - Trend Micro OfficeScan 6.5

Client - CTA v1.0

Simple set up - 2 subnets, client on one (connected via crossover directly to fa0/1 of the router), subnet y.y.y.X, trying to gain access to z.z.z.X subnet. IP admission statement and default ACL on fa0/1 (client side) with the follwing statements for radius server:

aaa authentication eou default enable group radius

radius-server host a.b.c.d auth-port 1645 acct-port 1646

radius-server key xxxxxxxxx

IP admission statement for NAC:

ip admission name TEST eapoudp inactivity-time 60 list 101

where list 101 specifies traffic from anywhere trying to get to z.z.z.X subnet.

PROBLEM:

Here is an output of the debug that I have been getting:

*Nov 4 17:31:20.319: eou_auth 192.168.50.100: during state eou_hello, got event 5(eouHelloResponse)

*Nov 4 17:31:20.319: @@@ eou_auth 192.168.50.100: eou_hello -> eou_client

*Nov 4 17:31:20.319: %EOU-6-CTA: IP=192.168.50.100| CiscoTrustAgent=DETECTED

*Nov 4 17:31:20.319: eou-ev:192.168.50.100: msg = 21(eventEouEapStart)

*Nov 4 17:31:20.319: eou_auth 192.168.50.100: during state eou_client, got event 12(eouEapStart)

*Nov 4 17:31:20.319: @@@ eou_auth 192.168.50.100: eou_client -> eou_client

*Nov 4 17:31:20.319: eou-ev:Starting Retransmit timer 3(192.168.50.100)

*Nov 4 17:31:20.319: EAPoUDP (tx) Flags:0 Ver=1 opcode=3 Len=25 MsgId=3518633116 Assoc ID=1213161541

*Nov 4 17:31:20.319: Dumping TLV contents

*Nov 4 17:31:20.319: TLV M:1 R:0 Type=COOKIE PAYLOAD Length=12

3F8E59A0: 1B1DCAE0 C96300AA 747FE33A ..J`Ic.*t.c:

3F8E59B0:

*Nov 4 17:31:20.323: TLV M:1 R:0 Type=EAP Payload Length=5

*Nov 4 17:31:20.323: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1

3F8E59B0: 01010005 01 .....

*Nov 4 17:31:20.323: EAPoUDP (rx) Flags:128 Ver=1 opcode=3 Len=9 MsgId=3518633116 Assoc ID=454937312

*Nov 4 17:31:20.323: Dumping TLV contents

*Nov 4 17:31:20.323: TLV M:1 R:0 Type=EAP Payload Length=5

*Nov 4 17:31:20.323: EAP code: 0x2 id: 0x1 length: 0x0005 type: 0x1

3F4004C0: 02010005 01 .....

*Nov 4 17:31:20.323: eou_auth 192.168.50.100: during state eou_client, got event 14(eouEapResponse)

*Nov 4 17:31:20.323: @@@ eou_auth 192.168.50.100: eou_client -> eou_server

*Nov 4 17:31:20.323: eou-ev:Starting AAA timer 60(192.168.50.100)

*Nov 4 17:31:20.327: eou_auth 192.168.50.100: during state eou_server, got event 17(eouAuthServerFail)

*Nov 4 17:31:20.327: @@@ eou_auth 192.168.50.100: eou_server -> eou_fail

*Nov 4 17:31:20.327: %EOU-6-AUTHTYPE: IP=192.168.50.100| AuthType=EAP

The line "during state eou_server, got event 17(eouAuthServerFail)" is what is worrying me. I do a show aaa server and find no attempts are made to send to the ACS. I turn on Network Monitor on the ACS and there are no packets sent from the NAD to the ACS, not even broadcast. They are both on the same subnet.

I am scratching my head a fair bit with this one now. Can anyone point me in the correct direction?

PS I have tried several different versions of IOS, all of which say they support NAC and have not advisories against them that refer to NAC.

Labels:
0 Helpful
3 Replies 3

axfood
Level 1
Level 1

‎11-08-2005 01:26 AM

Hello

I have try the same thing and i can tell i had problem with cta certificate (peap) to acs.

look in the acs Failed Attempts for ssl error.

0 Helpful

marcbutler
Level 1
Level 1
In response to axfood

‎11-08-2005 05:51 AM

Thanks for your reply, axfood.

I checked the ACS, and I did not see any failed attempts for SSL error. In fact, I do not see any failed attempts at all (probably related to the fact that the network monitor is not showing any packets coming from the router (NAD) to the ACS.

I also think it has something to do with the CTA certificate, but just trying to work out what it is and how to fix it!!!!!!!

0 Helpful

marcbutler
Level 1
Level 1
In response to marcbutler

‎11-11-2005 04:39 AM

Hi All

OK, well, I have gone back to basics with my NAC configuration. But I am still encountering the same errors. I am attaching a copy of my router config (with all the sensitive info blotted out).

Can anyone help? I am pretty sure that I have got all the correct certificates in the correct places and have got the policy server and the officescan server set to go. But, it never seems to get that far!! There always seems to be something that is stopping the router from sending anything to the AAA server. If anyone can point out my stupid mistake (if there is one) I would be most grateful!

Rgds

Marc

0 Helpful
Customers Also Viewed These Support Documents