Hello All!
I am working on L2_802.1x NAC and have run into a strange
problem with the CTA client. I have set up a 3560 as the NAD and have a
CiscoSecure ACS server. On the client side, I have a Dell Windows XP
workstation with the Cisco Trust Agent wired client ver 4.0.5.5189. I
have followed the Cisco NAC configuration guide as an example and
everything seems to be working except that the CTA agent tries to get an
address via DHCP and fails. Funny thing is that the underlying OS does
get an DHCP lease and I have the packet captures confirming it.
Here is what I see:
ACS:
02/11/2010 15:11:16 Authen OK dot1user Group 1 00-08-74-92-2C-0E 50018
10.100.100.4 LAB_NAC_L2_802.1X NAC-SAMPLE-HEALTHY-L2-RAC .. Healthy
Cisco:PA=Healthy Posture validation rule=NAC-SAMPLE-POSTURE-RULE;
'Cisco:PA:APT=Healthy' returned by: Evaluated by policy:
NAC-SAMPLE-CTA-POLICY Rule=1 43 EAP-FAST anonymous Cat4 ..
Cat:
SEC-CAT4#sh dot1x interface g0/18 details
Dot1x Info for GigabitEthernet0/18
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = (From Authentication Server)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 0008.7492.2c0e
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 36000
ReAuthAction = Reauthenticate
TimeToNextReauth = 35910
Authentication Method = Dot1x
Posture = Healthy
Authorized By = Authentication Server
Vlan Policy = 200
SEC-CAT4#
DHCP Server:
*Feb 11 19:41:51.311: DHCPD: DHCPDISCOVER received from client
0100.0874.922c.0e through relay 10.20.20.1.
*Feb 11 19:41:51.311: DHCPD: Seeing if there is an internally specified
pool class:
*Feb 11 19:41:51.311: DHCPD: htype 1 chaddr 0008.7492.2c0e
*Feb 11 19:41:51.311: DHCPD: remote id 020a00000a64640521000000
*Feb 11 19:41:51.311: DHCPD: circuit id 00000000
*Feb 11 19:41:51.311: DHCPD: Sending DHCPOFFER to client
0100.0874.922c.0e (10.20.20.201).
*Feb 11 19:41:51.311: DHCPD: Including FQDN option name
'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0
*Feb 11 19:41:51.311: DHCPD: unicasting BOOTREPLY for client
0008.7492.2c0e to relay 10.20.20.1.
*Feb 11 19:41:51.315: DHCPD: DHCPREQUEST received from client
0100.0874.922c.
0e.
*Feb 11 19:41:51.315: DHCPD: Sending notification of ASSIGNMENT:
*Feb 11 19:41:51.315: DHCPD: address 10.20.20.201 mask 255.255.255.0
*Feb 11 19:41:51.315: DHCPD: htype 1 chaddr 0008.7492.2c0e
*Feb 11 19:41:51.315: DHCPD: lease time remaining (secs) = 86400
*Feb 11 19:41:51.315: DHCPD: Appending default domain from pool
*Feb 11 19:41:51.315: DHCPD: Using hostname 'RACK-XP2.ipexpert.com.' for
dynamic update (from FQDN option)
*Feb 11 19:41:51.315: DHCPD: Sending DHCPACK to client 0100.0874.922c.0e
(10.20.20.201).
*Feb 11 19:41:51.315: DHCPD: Including FQDN option name
'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0
*Feb 11 19:41:51.315: DHCPD: unicasting BOOTREPLY for client
0008.7492.2c0e to relay 10.20.20.1.
Now the CTA client shows me a POP-Up window of "Healthy" and I do get a
DHCP lease, but the CTA does not see it and times out:
14:47:25.984 Port state transition to
AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_LOGOFF)
14:47:26.000 Port state transition to
AC_PORT_STATE_STOPPED(AC_PORT_STATUS_STOPPED)
14:47:28.078 Cisco Trust Agent 802.1X wired client Connection
requested automatically from user context.
14:47:28.281 Connection authentication started using the logged in
user's credentials.
14:47:28.390 Port state transition to
AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:47:28.546 Port state transition to
AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:47:28.562 Identity has been requested from the network.
14:47:28.578 Identity has been sent to the network.
14:47:28.625 Authentication started using method type EAP-FAST, level
0
14:47:28.640 The server has requested using authentication type:
EAP-FAST
14:47:28.640 The client has requested using authentication type:
EAP-FAST
14:47:28.656 Validating the server.
14:47:28.937 Authentication started using method type EAP-GTC, level
1
14:47:28.937 The server has requested using authentication type:
EAP-GTC
14:47:28.937 The client has requested using authentication type:
EAP-GTC
14:47:28.953 Identity has been requested from the network.
14:47:28.968 Identity has been sent to the network.
14:47:31.062 Port state transition to
AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:47:31.062 The authentication process has succeeded.
14:47:42.859 Sending DHCP release request.
14:47:42.906 Sending DHCP renew request.
14:48:10.156 Sending DHCP renew request.
14:48:38.546 A failure occurred while trying to get an IP address
(-20:AC_ERR_SYSTEM)
Has anyone seen this before and have any ideas on how to troubleshoot?
Everything looks good from the CAT and ACS point of view. I have check
the logs for the CTA agent and the only thing is the timing out of DHCP.
Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
