Try to copy (import) the server certificate in your Workstation.... Workstation certificate is only used on NAC L2...
Regards. 2009/6/23 Stuart Hare <[email protected]> > Putting them in every store is a pain and time consuming as you seem to > have to do one at a time. > So I think we would all like to avoid that at all costs. > If you look through the Proctor guide solution section 5.10, theres a nice > page that lists them for you. > I remembered I had to do them but missed 2 of them (Trusted Root CA Store), > and ended up with endless failures on the ACS logs. > > EAP-TLS or PEAP authentication failed during SSL handshake > > This seems to point to certificate issue, but who the hell knows where from > that message. > So obviously I went through getting new certs for the ACS and the XP > machine and reinstalling the CA Chain. > > It only started to work once the ca chain was in all 6 stores on the XP > machine. > > Bummer really considering I couldnt find a single doc that explained this. > I think we can only hope that this task is already completed for us come > lab time. > > Tyson/Jared, Not sure if one of you guys were involved in writing Lab5a, > but if so, was this from some implied knowledge or previous experience you > have, or is there a really great NAC doc in the depths of the cisco support > pages that were missing =) > > Cheers > Stu > > On Tue, Jun 23, 2009 at 8:54 PM, Timur Snoke <[email protected]> wrote: > >> the only time i have seen anyone install the cert on an xp machine they >> install the cert in every store. I think this is a great opportunity for you >> to lab it up and let us all ride your coat-tails ;) >> >> Timur Snoke >> >> >> >> ------------------------------ >> Date: Tue, 23 Jun 2009 20:20:37 +0100 >> From: [email protected] >> To: [email protected] >> Subject: [OSL | CCIE_Security] LAB5A NAC L3 IP >> >> >> I have eventually got my head around NAC L3 IP but I cant seem to get the >> URL Redirect to work. >> Show eou output looks fine and I have enabled the aaa authorisation for >> auth proxy as well as the http server with aaa authentication, but no joy. >> >> Am i missing something? >> R5#sh eou ip 10.1.1.101 >> Address : 10.1.1.101 >> MAC Address : 000c.2990.5a48 >> Interface : FastEthernet0/1 >> AuthType : EAP >> Audit Session ID : 0000015E016D4F3C000000550A010165 >> PostureToken : Quarantine >> Age(min) : 45 >> URL Redirect : http://8.8.8.8 >> URL Redirect ACL : NO URL REDIRECT ACL >> ACL Name : xACSACLx-IP-NAC_SAMPLE_QUARANTINE_ACL-4a40ec7c >> Tag Name : NO TAG NAME >> User Name : XP:Administrator >> Revalidation Period : 3600 Seconds >> Status Query Period : 30 Seconds >> Current State : AUTHENTICATED >> >> Ive got to say the documentation for NAC is sub-par, even though there are >> a few more docs now for it. >> >> The certificate on the XP machine and installing the cert chain could >> potentially be an issue in the lab, especially knowing which cert stores to >> install the chain in. >> Is there a doc for this? >> >> Cheers >> Stu >> >> -- >> Stuart Hare >> >> [email protected] >> >> >> >> ------------------------------ >> Microsoft brings you a new way to search the web. Try Bing™ >> now<http://www.bing.com/?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try+bing_1x1> >> > > > > -- > Stuart Hare > > [email protected] > > >
