Re: NAC > invalid protocol data

koksm · ‎07-18-2006

Hi,

We are running 802.1x with a customer, using Cat2950's, ACS 4.01 and the meetinghouse Aegis supplicant. On top of all this we authenticate against Microsoft AD and do dynamic VLAN assignment.

This all works fine.

Last friday we implemented L2 NAC (CTA 2.0.0.30), and at first it seem to work great. But, on monday morning a lot or problems where reported. The ACS log showed lots of 'invalid protocol data' messages and some 'CS user unknown'. Strange because we do not have users stored in the ACS itself, only dynamic ones.

Has anyone encountered these messages in an implementation like this?

arnaud.dessauvages · ‎08-16-2006

Hi,

We're starting deploying NAC 802.1X, also with ACS 4 an aegis supplicant.

I've noticed the same kind of error messages.

Did you received inputs since your first post ?

Thanks in advance for your attention.

Best Regards,

Arnaud

lmilher_2 · ‎03-19-2007

Hi friend, i have the same problem. 2950, ACS 4.0 CTA 2.1 NAC 802.1x and TRend micro antivirus. Using an internal posture validation in the ACS everything is ok. but when i change to external posture validation to Trend micro policy server the Messege "invalid protocol data" appear. I can?t find what is this error and i can think where is the problem. When this happen i can see in the acs logs the user, but nothing about NAC..... Can help us ??

Thanks and regards.

Leo.

koksm · ‎03-20-2007

Hi, we eventually found out what the cause of the problem was. We opened a TAC case for it.

The problem is caused by (too) much data which have to be send from the CTA agent to the ACS server. There is a timeout that kicks in which cannot be modified in the older CTA versions.

The solutions is to install the latest CTA agent. After installation, in the install dir of this agent you will see a file called CTAD.INI. You have to modify the value of PPwaittimeout.

It looks like this;

;The PPWaitTimeout parameter represents the maximum time allowed, in seconds, to complete the processing of all plug-ins.

; Default value: 5 seconds

; Range of values: 1 - 300 seconds

PPWaitTimeout=10

The number of seconds is something that you have to try out. Don't forget to remove the ; when you modify the setting...

Hope this helps...

lmilher_2 · ‎03-20-2007

Hi, i edit the file ctad-temp.ini and change this values

PPWaitTimeout=10

later, i rename the ctad-temp.ini to ctad.ini. restart service but "invalid protocol data" is there.

I think you are right, but may i am missing any to do it work. can you tell me any more to do ??????

i am without way, i can?t think how to solve this problem.

Take care, and so many thanks for you helps.

Leo

; Default value: 5 seconds

; Range of values: 1 - 300 seconds

PPWaitTimeout=20

koksm · ‎03-21-2007

Hi Leo,

Which version of CTA are you using now?

lmilher_2 · ‎03-21-2007

hi, i have

cta 2.1.103 with supplicant

acs 4.0.1.27

win xp sp 2

cat 2950 with c2950-i6q4l2-mz.121-22.EA9.bin

trend micro officescan 7.3

Yesterday, i move my ACS and antivirus server that works fine in my network to the customer and the problem appear again. I think you are right about the problem in the cta, but how solve it ....... if you have anything to test, please send me it. i will test again my acs and antivirus in my network and may be open a TAC case.

Thanks and regards for you time and help.

Leo.

lmilher_2 · ‎03-21-2007

My friend, please could you send me your tunning ctad.ini ?? i found that the problem are the windows hot fix, there are so many of them ( like you say so many data), if i delete some of them everything is ok. NOw i have problem to modify the ctad.ini and make it work....

Thanks you so much from ARgentina.

koksm · ‎03-21-2007

Hi,

The info i emailed earlier was from my actual modified ctad.ini. We did set the timer to 10 seconds, which was enough.

If think you may be right suspecting the large number of windows security patches to be the cause of the problem.

Just raise the seconds in the timeout section and see if it helps.

If you still want my CTAD.INI file, send me an e-mail, so i can reply and attach. My e-mail adres should be in my profile.

lmilher_2 · ‎03-23-2007

Thanks, Marcel, don?t worry about the ctad file. Your info was very helpfull. I think i have another kind of the same problem but i can?t fix it with the timeout. My Pc?s has nearly 70 hot fixes, if i delete from the registry 30 of them everything work fine. Here is the reason because one machine fail first and later the other, at the same time that machine update your OS.

Take care and thanks again.

Leo.