Cool thanks Tyson. I think the amount of times Ive done it now it should have sunk in =)
One more thing while its fresh in my head, why was 'aaa authorisation auth-proxy default group radius' used? At first I thought it was for the ACL downloads, but NAC profile handles that. Then after reading Yusuf's book I thought it was for the redirect to work. But after removing it everything seems to still work fine, so now im a bit stumped? Can you enlighten me please? (Great post to Yusuf btw, some real valid pointers there, so far he has not avoided any questions which is great). Cheers Stu On Wed, Jun 24, 2009 at 4:47 PM, Tyson Scott <[email protected]> wrote: > Stuart, > > > > The only really good book out there is the Cisco press book Cisco Network > Admission Control Volume II. > > > > As far as the certificate though I wouldn’t say intimate knowledge. I > would more call it a trial by error J. I had the issue with other > certificates in the past with Applications and found the method described to > work best. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Stuart Hare > *Sent:* Tuesday, June 23, 2009 4:12 PM > *To:* Timur Snoke > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > > Putting them in every store is a pain and time consuming as you seem to > have to do one at a time. > > So I think we would all like to avoid that at all costs. > > If you look through the Proctor guide solution section 5.10, theres a nice > page that lists them for you. > > I remembered I had to do them but missed 2 of them (Trusted Root CA Store), > and ended up with endless failures on the ACS logs. > > > > EAP-TLS or PEAP authentication failed during SSL handshake > > > > This seems to point to certificate issue, but who the hell knows where from > that message. > > So obviously I went through getting new certs for the ACS and the XP > machine and reinstalling the CA Chain. > > > > It only started to work once the ca chain was in all 6 stores on the XP > machine. > > > > Bummer really considering I couldnt find a single doc that explained this. > > I think we can only hope that this task is already completed for us come > lab time. > > > > Tyson/Jared, Not sure if one of you guys were involved in writing Lab5a, > but if so, was this from some implied knowledge or previous experience you > have, or is there a really great NAC doc in the depths of the cisco support > pages that were missing =) > > > > Cheers > > Stu > > On Tue, Jun 23, 2009 at 8:54 PM, Timur Snoke <[email protected]> wrote: > > the only time i have seen anyone install the cert on an xp machine they > install the cert in every store. I think this is a great opportunity for you > to lab it up and let us all ride your coat-tails ;) > > Timur Snoke > > > > ------------------------------ > > Date: Tue, 23 Jun 2009 20:20:37 +0100 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > > I have eventually got my head around NAC L3 IP but I cant seem to get the > URL Redirect to work. > > Show eou output looks fine and I have enabled the aaa authorisation for > auth proxy as well as the http server with aaa authentication, but no joy. > > > > Am i missing something? > > R5#sh eou ip 10.1.1.101 > Address : 10.1.1.101 > MAC Address : 000c.2990.5a48 > Interface : FastEthernet0/1 > AuthType : EAP > Audit Session ID : 0000015E016D4F3C000000550A010165 > PostureToken : Quarantine > Age(min) : 45 > URL Redirect : http://8.8.8.8 > URL Redirect ACL : NO URL REDIRECT ACL > ACL Name : xACSACLx-IP-NAC_SAMPLE_QUARANTINE_ACL-4a40ec7c > Tag Name : NO TAG NAME > User Name : XP:Administrator > Revalidation Period : 3600 Seconds > Status Query Period : 30 Seconds > Current State : AUTHENTICATED > > > > Ive got to say the documentation for NAC is sub-par, even though there are > a few more docs now for it. > > > > The certificate on the XP machine and installing the cert chain could > potentially be an issue in the lab, especially knowing which cert stores to > install the chain in. > > Is there a doc for this? > > > > Cheers > > Stu > > > -- > Stuart Hare > > [email protected] > > > ------------------------------ > > Microsoft brings you a new way to search the web. Try Bing™ > now<http://www.bing.com/?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try+bing_1x1> > > > > > -- > Stuart Hare > > [email protected] > > -- Stuart Hare [email protected]
