Putting them in every store is a pain and time consuming as you seem to have to do one at a time. So I think we would all like to avoid that at all costs. If you look through the Proctor guide solution section 5.10, theres a nice page that lists them for you. I remembered I had to do them but missed 2 of them (Trusted Root CA Store), and ended up with endless failures on the ACS logs.
EAP-TLS or PEAP authentication failed during SSL handshake This seems to point to certificate issue, but who the hell knows where from that message. So obviously I went through getting new certs for the ACS and the XP machine and reinstalling the CA Chain. It only started to work once the ca chain was in all 6 stores on the XP machine. Bummer really considering I couldnt find a single doc that explained this. I think we can only hope that this task is already completed for us come lab time. Tyson/Jared, Not sure if one of you guys were involved in writing Lab5a, but if so, was this from some implied knowledge or previous experience you have, or is there a really great NAC doc in the depths of the cisco support pages that were missing =) Cheers Stu On Tue, Jun 23, 2009 at 8:54 PM, Timur Snoke <[email protected]> wrote: > the only time i have seen anyone install the cert on an xp machine they > install the cert in every store. I think this is a great opportunity for you > to lab it up and let us all ride your coat-tails ;) > > Timur Snoke > > > > ------------------------------ > Date: Tue, 23 Jun 2009 20:20:37 +0100 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > I have eventually got my head around NAC L3 IP but I cant seem to get the > URL Redirect to work. > Show eou output looks fine and I have enabled the aaa authorisation for > auth proxy as well as the http server with aaa authentication, but no joy. > > Am i missing something? > R5#sh eou ip 10.1.1.101 > Address : 10.1.1.101 > MAC Address : 000c.2990.5a48 > Interface : FastEthernet0/1 > AuthType : EAP > Audit Session ID : 0000015E016D4F3C000000550A010165 > PostureToken : Quarantine > Age(min) : 45 > URL Redirect : http://8.8.8.8 > URL Redirect ACL : NO URL REDIRECT ACL > ACL Name : xACSACLx-IP-NAC_SAMPLE_QUARANTINE_ACL-4a40ec7c > Tag Name : NO TAG NAME > User Name : XP:Administrator > Revalidation Period : 3600 Seconds > Status Query Period : 30 Seconds > Current State : AUTHENTICATED > > Ive got to say the documentation for NAC is sub-par, even though there are > a few more docs now for it. > > The certificate on the XP machine and installing the cert chain could > potentially be an issue in the lab, especially knowing which cert stores to > install the chain in. > Is there a doc for this? > > Cheers > Stu > > -- > Stuart Hare > > [email protected] > > > > ------------------------------ > Microsoft brings you a new way to search the web. Try Bing™ > now<http://www.bing.com/?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try+bing_1x1> > -- Stuart Hare [email protected]
