Stu,
That is good to know. I am not sure right now as documentation always says it is needed. But I have found that on several things. A lot of documentation shows the need to specifically call out a lot of the VSA attributes where without it the configuration works as well. Too much stuff Arghh From: Stuart Hare [mailto:[email protected]] Sent: Friday, June 26, 2009 6:49 AM To: Tyson Scott Cc: Timur Snoke; [email protected] Subject: Re: [OSL | CCIE_Security] LAB5A NAC L3 IP Tyson, Yes I did reboot, I have even labbed this up without it from scratch and it still works. So basically just: aaa new-model aaa authentication login NOAAA none aaa authentication eou default group radius Stu On Wed, Jun 24, 2009 at 11:16 PM, Tyson Scott <[email protected]> wrote: Did you reboot after removing it. Your device may have still been caching the authorization. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Stuart Hare [mailto:[email protected]] Sent: Wednesday, June 24, 2009 4:12 PM To: Tyson Scott Cc: Timur Snoke; [email protected] Subject: Re: [OSL | CCIE_Security] LAB5A NAC L3 IP Cool thanks Tyson. I think the amount of times Ive done it now it should have sunk in =) One more thing while its fresh in my head, why was 'aaa authorisation auth-proxy default group radius' used? At first I thought it was for the ACL downloads, but NAC profile handles that. Then after reading Yusuf's book I thought it was for the redirect to work. But after removing it everything seems to still work fine, so now im a bit stumped? Can you enlighten me please? (Great post to Yusuf btw, some real valid pointers there, so far he has not avoided any questions which is great). Cheers Stu On Wed, Jun 24, 2009 at 4:47 PM, Tyson Scott <[email protected]> wrote: Stuart, The only really good book out there is the Cisco press book Cisco Network Admission Control Volume II. As far as the certificate though I wouldn't say intimate knowledge. I would more call it a trial by error J. I had the issue with other certificates in the past with Applications and found the method described to work best. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Hare Sent: Tuesday, June 23, 2009 4:12 PM To: Timur Snoke Cc: [email protected] Subject: Re: [OSL | CCIE_Security] LAB5A NAC L3 IP Putting them in every store is a pain and time consuming as you seem to have to do one at a time. So I think we would all like to avoid that at all costs. If you look through the Proctor guide solution section 5.10, theres a nice page that lists them for you. I remembered I had to do them but missed 2 of them (Trusted Root CA Store), and ended up with endless failures on the ACS logs. EAP-TLS or PEAP authentication failed during SSL handshake This seems to point to certificate issue, but who the hell knows where from that message. So obviously I went through getting new certs for the ACS and the XP machine and reinstalling the CA Chain. It only started to work once the ca chain was in all 6 stores on the XP machine. Bummer really considering I couldnt find a single doc that explained this. I think we can only hope that this task is already completed for us come lab time. Tyson/Jared, Not sure if one of you guys were involved in writing Lab5a, but if so, was this from some implied knowledge or previous experience you have, or is there a really great NAC doc in the depths of the cisco support pages that were missing =) Cheers Stu On Tue, Jun 23, 2009 at 8:54 PM, Timur Snoke <[email protected]> wrote: the only time i have seen anyone install the cert on an xp machine they install the cert in every store. I think this is a great opportunity for you to lab it up and let us all ride your coat-tails ;) Timur Snoke _____ Date: Tue, 23 Jun 2009 20:20:37 +0100 From: [email protected] To: [email protected] Subject: [OSL | CCIE_Security] LAB5A NAC L3 IP I have eventually got my head around NAC L3 IP but I cant seem to get the URL Redirect to work. Show eou output looks fine and I have enabled the aaa authorisation for auth proxy as well as the http server with aaa authentication, but no joy. Am i missing something? R5#sh eou ip 10.1.1.101 Address : 10.1.1.101 MAC Address : 000c.2990.5a48 Interface : FastEthernet0/1 AuthType : EAP Audit Session ID : 0000015E016D4F3C000000550A010165 PostureToken : Quarantine Age(min) : 45 URL Redirect : http://8.8.8.8 <http://8.8.8.8/> URL Redirect ACL : NO URL REDIRECT ACL ACL Name : xACSACLx-IP-NAC_SAMPLE_QUARANTINE_ACL-4a40ec7c Tag Name : NO TAG NAME User Name : XP:Administrator Revalidation Period : 3600 Seconds Status Query Period : 30 Seconds Current State : AUTHENTICATED Ive got to say the documentation for NAC is sub-par, even though there are a few more docs now for it. The certificate on the XP machine and installing the cert chain could potentially be an issue in the lab, especially knowing which cert stores to install the chain in. Is there a doc for this? Cheers Stu -- Stuart Hare [email protected] _____ Microsoft brings you a new way to search the web. Try Bing <http://www.bing.com/?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline _try+bing_1x1> T now -- Stuart Hare [email protected] -- Stuart Hare [email protected] -- Stuart Hare [email protected]
