CSSC , ACS, CTA, NAC

Hello!
I have recently installed Cisco Secure Services Client to coonect to wireless network, which uses 802.1x authentication (EAP-FAST). Also i have ACS 4.1 in my network.
1) When i'm connecting to Guest1 (for example) SSID (there is no authentication) - everything goes right.
2) When i'm trying to connect to Guest2 SSID (there is authentication and pousture validation) i have this problem:
CSSC says that it is coonecting to the network, then asks me to enter my username and password, and then i can see small window from CTA on the screen (it says "healthy" - so it means, that my conputer passed authentication and posture validation), BUT CSSC still shows "connecting", and i've got CTA "healthy" window, popping up approximately every 15 seconds...then after about 5-6 attempts CSSC status changes to "disconnected". In the ACS "passed authentication" reports, i can see 5-6 strings (they were updated every 15 seconds), that says - authentication OK - but no connection was established. What could be the problem?
Thank you in advance and sorry for my poor english 8)

One more question - is there any alternatives for Cisco Secure Services Client (i need wireless connection with 802.1x authentication, using EAP-FAST)?

Similar Messages

ACS with NAC Server

Can I configure the software ACS on a server NAC ??
Thanks for your help
Escuchar
Leer fonéticamente
Diccionario

Hello
How you want to configure ACS on NAC appliance ? What is your requirement ?
If you want NAC appliance to behave as your ACS server, then the answer is NO.
thanks
Devashree

NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

Hi
I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
Cisco 1811 router (inter-vlan routing)
Cisco Secure ACS (90 day trial) 4.2
CTA 2.1.103
CSSC 5.1.0.39
Windows XP SP3 client machine
So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
Jason
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
Client port;
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication

You can refer to the below URL for future reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

ACS with dot1x

Hi all, i am trying to collect infos for a future ACS network management and i have some questions that i can´t find answers.
It is possible to authenticate users in the wired interfaces and redirect them to diferent VLANs based on their attributes?
If any Cisco member have any type of usefull document with configs for ACS plus NAC Apliances (Profiler/Collector) to manage authentications on a switched LAN, i would apreciate sharing.
(I´ve searched alot, but all info are a litle dispersed and i can´t mount the puzzle)
Best Regards,

Hi.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
Read specially the topic 'Wired Dot1x Version 1.05 Configuration Guide'
Complication arises mostly on installing certificate to enable PEAP or TLS which are the authentication method you need for dot1x to authenticate using external database i.e. AD

Secure Network Servers (SNS) in ISE version 1.1.4

Hi board,
I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
For example ISE Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
What else is being released with ISE 1.2*?
A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The multiuse Cisco Secure Network Servers offer many improvements over current ISE, ACS, and NAC appliances, and are the platform recommended to deploy newer versions of these applications. During ordering, customers can specify which security application they would like to have installed. See the Product Details section for more information.
On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the following location:
What is true now? What HW appliance do I chose, if I want to order today?
I don't want to order the old appliances (33xx), because they are already EoL announced:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
Thanks!

Hi Johanne,
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms.
Supported Hardware and Personas:
Hardware Platform Persona Configuration
Cisco SNS-3415-K9
(small)
Any
•Cisco UCS 1 C220 M3
•Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
•16-GB RAM
•1 x 600-GB disk
•Embedded Software RAID 0
•4 GE network interfaces
Cisco SNS-3495-K92
(large)
Administration
Policy Service
Monitor
•Cisco UCS C220 M3
•Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
•32-GB RAM
•2 x 600-GB disk
•RAID 0+1
•4 GE network interfaces
Cisco ISE-3315-K9 (small)
Any
•1x Xeon 2.66-GHz quad-core processor
•4 GB RAM
•2 x 250 GB SATA3 HDD4
•4x 1 GB NIC5
Cisco ISE-3355-K9 (medium)
Any
•1x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•2 x 300 GB 2.5 in. SATA HDD
•RAID6 (disabled)
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-3395-K9 (large)
Any
•2x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•4 x 300 GB 2.5 in. SAS II HDD
•RAID 1
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-VM-K9 (VMware)
Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
•For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
•Hard Disks (minimum allocated memory):
–Stand-alone—600 GB
–Administration—200 GB
–Policy Service and Monitoring—600 GB
–Monitoring—500 GB
–Policy Service—100 GB
•NIC—1 GB NIC interface required (You can install up to 4 NICs.)
•Supported VMware versions include:
–ESX 4.x
–ESXi 4.x and 5.x
1 Cisco Unified Computing System (UCS)
2 Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform.
3 SATA = Serial Advanced Technology Attachment
4 HDD = hard disk drive
5 NIC = network interface card
6 RAID = Redundant Array of Independent Disks
7 Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.
Please check the following link for fruther information.
https://supportforums.cisco.com/message/3986953#3986953

802.1x wired problems

Hello.
I'm trying to install arch, but I've been stuck on configuring network for a day already.
The point is: I need to connect to the local university network (wired) to be able to connect to the Internet via PPPoE. The university network has PEAP MSCHAPv2 security and I can't connect to it.
I haven't found anything on the forums I hadn't tried so far, so, maybe you can help me find my mistakes.
Here's what I'm doing:
/etc/wpa_supplicant.conf:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="username"
password="password"
eapol_flags=0
ip link set enp4s0 up
wpa_supplicant -i enp4s0 -B -Dwired -c /etc/wpa_supplicant.conf
dhcpcd enp4s0
pppoe-setup
pppoe-start
Update: I managed to advance a bit further, pppoe-start finally says
. Connected!
But now I can't seem to get DNS to work, since my provider's server won't send one to me. Apart from that, everything seems to work, so I'll just leave this here so other newbies with the same problem would have less trouble lookng for solution.
Last edited by tstheworm (2013-03-21 17:03:49)

Hi Hartmut,
Suggest using CSSC with CTA.
CTA 802.1x supplicant have limitation.
CSSC is free for basic features, advanced features (support wireless) need license.
You may need to un-install CTA with 802.1x supplicant first, follow by install CSSC + CTA (without 802.1x) because CSSC have built-in 802.1x features.
Please take note of the installation sequence. Because if you make mistake about the installation sequence, you may get a error and the thing didn't work.
Hope this help
Thanks

ISE NICs

Do ISE 3355 and 3315 support etherchannel configuration?
And I see that they have four gigabit ethernet NICs, but two of the NICs need add-on cards? Does that mean that only two (out of the available four NICs) are ready to be used without installing any additional card?
Thanks,
Kashish

Kashish,
The ISE nics do not support ethechannel currently, I do not know if there is planned support for this down the road, traditionally Cisco hasnt released any support for NIC configurations on the ACS, or NAC.
Thanks,
Tarik Admani

ISE and PI Integration

Dear All,
What are the configuration required on ISE to integrate with Prime 1.3.0.20?
On PI side, I have added ISE in the below path
Design-> External Management Servers -> ISE Servers.
Apart from this anything else to be done on PI..?
Thanks in advance.

The stuff to do on the ISE is set up as a Radius Server for your client authentication. When ISE acts as a radius server, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console on PI.
The point to remember is that PI is a management sloution for wired and wireless clients, while ISE acts as ACS and NAC combined. Recall that ACS on its own could not do posture validation without NAC.
Cheers

ACS / NAC phase 2 / posture validation with symantec AV

Hi,
We encounter problem to implement NAC phase 2 with symantec.
ACS is an appliance one, version 4.0
We?ve installed the Symantec AV pair on the ACS : that?OK.
The following softwares are installed on the client PC:
- Cisco CTA : ctasetup-win-2.0.1.14.exe
- Aegis SecureConnect 2KXP-4_0_4.msi
- Symantec client security posture plug-in.msi together with the associated setup.exe
Moreover, client PC is configured to use EAP-FAST with mschapv2.
We?ve defined an internal posture validation on the ACS.
The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
The default rule is associated with another authorization component that returns the quarantine vlan.
Problem is that we don?t manage to match on this posture.
It?s as if the client doesn?t send the parameters.
Logs on the ACS indicates the following:
- message type : authen failed
- authen failure code : posture validation failure (general)
- eap type name : EAP-FAST
- reason: no matched required credential types in any posture validation rule
- cisco:PA:OS-type : OK, well retrieved (windows XP professional)
- cisco:Host:ServicePack: OK, well retrieved (service pack 2)
- but none of the Symantec AV could be retrieved.
Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
So external posture validation isn?t possible in our case.
Only internal posture validation should work.
But no way to retrieve Symantec information from CTA.
Thanks in advance for your attention.
Best Regards,
Arnaud

Hi.
Please examine the following directory of client pc. Is Plugins File of Symantec installed?
\Program Files\Common Files\PostureAgent\Plugins
\Program Files\Common Files\PostureAgent\Plugins\Install
Plugin Installation and Upgrade
Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
Plugins for Windows environments are installed in this directory:
\Program Files\Common Files\PostureAgent\Plugins\Install
When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
" If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
" If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
" If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
best regards,
sahase

CSSC 4.05 and CTA 2.0.14

Hi,
Does anyone use 802.1x in combination with NAC framework and see 'invalid protocol data' messages in ACS (4.01)?
We see this appear when we run it in parallel, when we deactivate the NAC policy in ACS or shut down the CTA services om the client PC 802.1x it works ok.

Yes, we are having it on one XP. It was working before, but suddenly it stopped working. We uninstalled nad re-installed, but with no luck. Cisco CTA has no answer yet.
ACS SE : 4.0(1)
CTA: 4.0.2(4423)
thanks,
Audie

ACS NAC and VPN

I am trying to set up NAC using ACS 4.1 and a VPN concentrator 3015 using 4.7.2K. I have had it working before using 3.3 and 4.0, but had to wipe out my server because of some issues. This is all in test, but I would like to complete this soon.
Is there some document out there that will allow me to see examples of this setup? I have googled it and checked on Cisco, but the examples are normally IOS specific. Any help would be appreciated.
Thanks
Dwane

Refer to the link to the NAC Phase One whitepaper which is the best guide to configuring NAC at the moment.
The document was released prior to NAC introduction on the VPN concentrator, but all the ACS and CTA configuration is valid.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
also refer these links to know more info about VPN concentrator with NAC:
http://www.cisco.com/warp/public/471/vpn3k-nac-config-471.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1652431

Authentication failed using EAP-TLS and CSSC against ACS

Hi.
Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.
Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:
"Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.
First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.
Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.
I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2
Thanks in advanced.
Best regards.

Today is not mmy day.
It´s still failing and maybe I will open a TAC case.
I´m looking at the log file of the CSSC and I don´t like what I have seen.
2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client: eapTls
2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant
Do you think the same??
Thanks.
Best Regards.

Wired WebAuth only with NAC Guest Server (No ACS)

Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name           [1]   20 "[email protected]"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password       [2]   18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address   [8]   6   199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco       [26] 49
Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port            [5]   6   50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address      [4]   6   199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Framed-IP-Address = 199.46.201.231
    Service-Type = Outbound-User
    Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
    Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
    NAS-Port-Type = Ethernet
    NAS-Port = 50106
    NAS-Port-Id = "GigabitEthernet1/0/6"
    NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth]     expand: %{Calling-Station-Id} ->
Exec-Program output:                          Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Service-Type = Login-User
    NAS-IP-Address = 10.100.16.100
    NAS-Port = 13
    NAS-Identifier = "ICTWLC01"
    NAS-Port-Type = Ethernet
    Airespace-Wlan-Id = 514
    Calling-Station-Id = "10.198.12.211"
    Called-Station-Id = "10.100.16.100"
    Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql]     expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
[sql]     expand: %{User-Password} -> 5rRmpPt9
[sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny   ip any any log
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!

Without the ACS, only with the NAC guest is possible?
They can send me sample configuration?

NAC Framework - NAC-L2-802.1x without CSSC client?

Hi
I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
Jason

You can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.

Is ACS required in NAC appliance.

Hi,
One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
Thx in advance.
Sonu

NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
The great thing about NAC Appliace is that it works for all four major use cases:
1. VPN users
2. WIFI users
3. LAN/wired users
4. GUest/vistors
We can
1. authenticate
2. Posture assess (scan)
3. Quarantine/
4. Remediate
You don't want users to have to learn three different ways to connect to the netowrk.
802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
I hope this helps.

CSSC , ACS, CTA, NAC

Similar Messages

Maybe you are looking for