cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
620
Views
0
Helpful
10
Replies

NAC - CTA problem

biao.jiang
Level 1
Level 1

I am testing NAC, CAT 1.0.55 is installed on the client side, and the Cisco Trust Agent and Cisco Trust Agent Event Logging Service are started. But from the NAD, when I debug eou all, I always got "CiscoTrustAgent=NOT DETECTED". What could be wrong?

10 Replies 10

pcomeaux
Cisco Employee
Cisco Employee

I've seen Personal Firewalls, like the one in XP SP2 block CTA acting as a server, listening on it's UDP port.

Take a look there first and let us know.

thanks

peter

Thanks Peter, it was my XP firewall blocking CTA traffic, I just turned off the firewall. However, I still have problem with NAC. After I installed the CTA, then I installed MacAfee virusScan Enterprise 8.0.0, but the posture plug-in was not installed in "C:\Program Files\Common Files\Cisco Systems\CiscoTrustAgent\Plugins", so I got "eou_fail" on the NAD. Hope you can help me out.

If you install McAfee first, then the CTA, does it work? I know that CSA will prevent McAfee from modifying the trust agent plugin (unless there is an an exception) but I don't know if the CTA protects itself in the same manner.

Tom

According to Cisco document "Implementing NAC - Phase one configuration and deployment", you have to install CTA first before you install any NAC applications. Actually, I tested it last week, and everything was ok except that I could not redirect the traffic to outside URL (McAfee update url).

Hi Biao,

Please let me know what further assistance you need at this point based on the additional information you received from the other poster.

thanks

peter

So you tested installing it in that order last week and everything worked except updating from McAfee?

Sorry if I don't understand you correctly.

Tom

Correct. I tested last week, it did work. This week we just deployed XP SP2, and the firewall blocked the eap traffic, so I just turned off the firewall on the laptop, the eap traffic could go through, but it showed eou_fail on the NAD, I did not change anything on the ACS and NAD.

Please let us know if you are seeing any error messages under Failed Attempts on the ACS server which correspond to the EOU_FAIL on the NAD.

thanks

peter

Hi Peter,

I took off the Mandatory Credential Type from the External User Databases (before I had "NAI:AV" in the Selected Credentials), I got eou_authenticated on the NAD. But I still have problem, I cannot redirect traffic to the url I configured on the ACS.

I was wondering if I could send snapshot of my ACS through email, so you can check to see if my configuration was wrong.

Thanks,

ok - you can e-mail me at pgc@cisco.com with pics of the ACS server config, including download ACL config in ACS and the IOS config on your router.

thanks

peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: