My only thought is portfast. If the CTA agent isn't seeing the DHCP offer in the expected time possibly a problem. But beyond that I am not sure as I have not encountered this problem.
Uninstall/Reinstall of the CTA client? Look in CCO for possible known bugs? All good questions. I am assuming you don't have problems with a static IP. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mack, David A (Dave) Sent: Thursday, February 11, 2010 3:19 PM To: [email protected] Subject: [OSL | CCIE_Security] 802.1x NAC CTA Problem Hello All! I am working on L2_802.1x NAC and have run into a strange problem with the CTA client. I have set up a 3560 as the NAD and have a CiscoSecure ACS server. On the client side, I have a Dell Windows XP workstation with the Cisco Trust Agent wired client ver 4.0.5.5189. I have followed the Cisco NAC configuration guide as an example and everything seems to be working except that the CTA agent tries to get an address via DHCP and fails. Funny thing is that the underlying OS does get an DHCP lease and I have the packet captures confirming it. Here is what I see: ACS: 02/11/2010 15:11:16 Authen OK dot1user Group 1 00-08-74-92-2C-0E 50018 10.100.100.4 LAB_NAC_L2_802.1X NAC-SAMPLE-HEALTHY-L2-RAC .. Healthy Cisco:PA=Healthy Posture validation rule=NAC-SAMPLE-POSTURE-RULE; 'Cisco:PA:APT=Healthy' returned by: Evaluated by policy: NAC-SAMPLE-CTA-POLICY Rule=1 43 EAP-FAST anonymous Cat4 .. Cat: SEC-CAT4#sh dot1x interface g0/18 details Dot1x Info for GigabitEthernet0/18 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST Violation Mode = PROTECT ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthPeriod = (From Authentication Server) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Dot1x Authenticator Client List ------------------------------- Domain = DATA Supplicant = 0008.7492.2c0e Auth SM State = AUTHENTICATED Auth BEND SM State = IDLE Port Status = AUTHORIZED ReAuthPeriod = 36000 ReAuthAction = Reauthenticate TimeToNextReauth = 35910 Authentication Method = Dot1x Posture = Healthy Authorized By = Authentication Server Vlan Policy = 200 SEC-CAT4# DHCP Server: *Feb 11 19:41:51.311: DHCPD: DHCPDISCOVER received from client 0100.0874.922c.0e through relay 10.20.20.1. *Feb 11 19:41:51.311: DHCPD: Seeing if there is an internally specified pool class: *Feb 11 19:41:51.311: DHCPD: htype 1 chaddr 0008.7492.2c0e *Feb 11 19:41:51.311: DHCPD: remote id 020a00000a64640521000000 *Feb 11 19:41:51.311: DHCPD: circuit id 00000000 *Feb 11 19:41:51.311: DHCPD: Sending DHCPOFFER to client 0100.0874.922c.0e (10.20.20.201). *Feb 11 19:41:51.311: DHCPD: Including FQDN option name 'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0 *Feb 11 19:41:51.311: DHCPD: unicasting BOOTREPLY for client 0008.7492.2c0e to relay 10.20.20.1. *Feb 11 19:41:51.315: DHCPD: DHCPREQUEST received from client 0100.0874.922c. 0e. *Feb 11 19:41:51.315: DHCPD: Sending notification of ASSIGNMENT: *Feb 11 19:41:51.315: DHCPD: address 10.20.20.201 mask 255.255.255.0 *Feb 11 19:41:51.315: DHCPD: htype 1 chaddr 0008.7492.2c0e *Feb 11 19:41:51.315: DHCPD: lease time remaining (secs) = 86400 *Feb 11 19:41:51.315: DHCPD: Appending default domain from pool *Feb 11 19:41:51.315: DHCPD: Using hostname 'RACK-XP2.ipexpert.com.' for dynamic update (from FQDN option) *Feb 11 19:41:51.315: DHCPD: Sending DHCPACK to client 0100.0874.922c.0e (10.20.20.201). *Feb 11 19:41:51.315: DHCPD: Including FQDN option name 'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0 *Feb 11 19:41:51.315: DHCPD: unicasting BOOTREPLY for client 0008.7492.2c0e to relay 10.20.20.1. Now the CTA client shows me a POP-Up window of "Healthy" and I do get a DHCP lease, but the CTA does not see it and times out: 14:47:25.984 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_LOGOFF) 14:47:26.000 Port state transition to AC_PORT_STATE_STOPPED(AC_PORT_STATUS_STOPPED) 14:47:28.078 Cisco Trust Agent 802.1X wired client Connection requested automatically from user context. 14:47:28.281 Connection authentication started using the logged in user's credentials. 14:47:28.390 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED) 14:47:28.546 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED) 14:47:28.562 Identity has been requested from the network. 14:47:28.578 Identity has been sent to the network. 14:47:28.625 Authentication started using method type EAP-FAST, level 0 14:47:28.640 The server has requested using authentication type: EAP-FAST 14:47:28.640 The client has requested using authentication type: EAP-FAST 14:47:28.656 Validating the server. 14:47:28.937 Authentication started using method type EAP-GTC, level 1 14:47:28.937 The server has requested using authentication type: EAP-GTC 14:47:28.937 The client has requested using authentication type: EAP-GTC 14:47:28.953 Identity has been requested from the network. 14:47:28.968 Identity has been sent to the network. 14:47:31.062 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS) 14:47:31.062 The authentication process has succeeded. 14:47:42.859 Sending DHCP release request. 14:47:42.906 Sending DHCP renew request. 14:48:10.156 Sending DHCP renew request. 14:48:38.546 A failure occurred while trying to get an IP address (-20:AC_ERR_SYSTEM) Has anyone seen this before and have any ideas on how to troubleshoot? Everything looks good from the CAT and ACS point of view. I have check the logs for the CTA agent and the only thing is the timing out of DHCP. Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
