Tyson, Yes I did reboot, I have even labbed this up without it from scratch and it still works.
So basically just: aaa new-model aaa authentication login NOAAA none aaa authentication eou default group radius Stu On Wed, Jun 24, 2009 at 11:16 PM, Tyson Scott <[email protected]> wrote: > Did you reboot after removing it. Your device may have still been > caching the authorization. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* Stuart Hare [mailto:[email protected]] > *Sent:* Wednesday, June 24, 2009 4:12 PM > *To:* Tyson Scott > *Cc:* Timur Snoke; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > > Cool thanks Tyson. > > > > I think the amount of times Ive done it now it should have sunk in =) > > > > One more thing while its fresh in my head, why was 'aaa authorisation > auth-proxy default group radius' used? > > At first I thought it was for the ACL downloads, but NAC profile handles > that. > > Then after reading Yusuf's book I thought it was for the redirect to work. > > But after removing it everything seems to still work fine, so now im a bit > stumped? > > > > Can you enlighten me please? > > > > (Great post to Yusuf btw, some real valid pointers there, so far he has > not avoided any questions which is great). > > > > Cheers > > Stu > > On Wed, Jun 24, 2009 at 4:47 PM, Tyson Scott <[email protected]> wrote: > > Stuart, > > > > The only really good book out there is the Cisco press book Cisco Network > Admission Control Volume II. > > > > As far as the certificate though I wouldn’t say intimate knowledge. I > would more call it a trial by error J. I had the issue with other > certificates in the past with Applications and found the method described to > work best. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Stuart Hare > *Sent:* Tuesday, June 23, 2009 4:12 PM > *To:* Timur Snoke > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > > Putting them in every store is a pain and time consuming as you seem to > have to do one at a time. > > So I think we would all like to avoid that at all costs. > > If you look through the Proctor guide solution section 5.10, theres a nice > page that lists them for you. > > I remembered I had to do them but missed 2 of them (Trusted Root CA Store), > and ended up with endless failures on the ACS logs. > > > > EAP-TLS or PEAP authentication failed during SSL handshake > > > > This seems to point to certificate issue, but who the hell knows where from > that message. > > So obviously I went through getting new certs for the ACS and the XP > machine and reinstalling the CA Chain. > > > > It only started to work once the ca chain was in all 6 stores on the XP > machine. > > > > Bummer really considering I couldnt find a single doc that explained this. > > I think we can only hope that this task is already completed for us come > lab time. > > > > Tyson/Jared, Not sure if one of you guys were involved in writing Lab5a, > but if so, was this from some implied knowledge or previous experience you > have, or is there a really great NAC doc in the depths of the cisco support > pages that were missing =) > > > > Cheers > > Stu > > On Tue, Jun 23, 2009 at 8:54 PM, Timur Snoke <[email protected]> wrote: > > the only time i have seen anyone install the cert on an xp machine they > install the cert in every store. I think this is a great opportunity for you > to lab it up and let us all ride your coat-tails ;) > > Timur Snoke > > > > ------------------------------ > > Date: Tue, 23 Jun 2009 20:20:37 +0100 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] LAB5A NAC L3 IP > > > > I have eventually got my head around NAC L3 IP but I cant seem to get the > URL Redirect to work. > > Show eou output looks fine and I have enabled the aaa authorisation for > auth proxy as well as the http server with aaa authentication, but no joy. > > > > Am i missing something? > > R5#sh eou ip 10.1.1.101 > Address : 10.1.1.101 > MAC Address : 000c.2990.5a48 > Interface : FastEthernet0/1 > AuthType : EAP > Audit Session ID : 0000015E016D4F3C000000550A010165 > PostureToken : Quarantine > Age(min) : 45 > URL Redirect : http://8.8.8.8 > URL Redirect ACL : NO URL REDIRECT ACL > ACL Name : xACSACLx-IP-NAC_SAMPLE_QUARANTINE_ACL-4a40ec7c > Tag Name : NO TAG NAME > User Name : XP:Administrator > Revalidation Period : 3600 Seconds > Status Query Period : 30 Seconds > Current State : AUTHENTICATED > > > > Ive got to say the documentation for NAC is sub-par, even though there are > a few more docs now for it. > > > > The certificate on the XP machine and installing the cert chain could > potentially be an issue in the lab, especially knowing which cert stores to > install the chain in. > > Is there a doc for this? > > > > Cheers > > Stu > > > -- > Stuart Hare > > [email protected] > > > ------------------------------ > > Microsoft brings you a new way to search the web. Try Bing™ > now<http://www.bing.com/?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try+bing_1x1> > > > > > -- > Stuart Hare > > [email protected] > > > > > -- > Stuart Hare > > [email protected] > > -- Stuart Hare [email protected]
