Re: [OSL | CCIE_Security] 802.1x NAC CTA Problem

[Mack, David A (Dave)]

Tyson,
        Hello! Thanks for the reply! I checked and I do have portfast on the 
interface:

SEC-CAT4#sh run int g0/18
Building configuration...

Current configuration : 286 bytes
!
interface GigabitEthernet0/18
 switchport access vlan 200
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x timeout reauth-period server
 dot1x reauthentication
 spanning-tree portfast
 spanning-tree bpdufilter enable
end

I tried a static IP and everything works fine. I uninstalled and re-installed 
the CTA client and went back to DHCP. I still see the problem. What version of 
CTA client are you using?

Thanks!
Dave


-----Original Message-----
From: Tyson Scott [mailto:tsc...@ipexpert.com] 
Sent: Friday, February 12, 2010 8:59 AM
To: Mack, David A (Dave); ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] 802.1x NAC CTA Problem

My only thought is portfast.  If the CTA agent isn't seeing the DHCP offer
in the expected time possibly a problem.  But beyond that I am not sure as I
have not encountered this problem.  

Uninstall/Reinstall of the CTA client?  Look in CCO for possible known bugs?
All good questions.  I am assuming you don't have problems with a static IP.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tsc...@ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mack, David
A (Dave)
Sent: Thursday, February 11, 2010 3:19 PM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] 802.1x NAC CTA Problem

Hello All! 

        I am working on L2_802.1x NAC and have run into a strange
problem with the CTA client. I have set up a 3560 as the NAD and have a
CiscoSecure ACS server. On the client side, I have a Dell Windows XP
workstation with the Cisco Trust Agent wired client ver 4.0.5.5189. I
have followed the Cisco NAC configuration guide as an example and
everything seems to be working except that the CTA agent tries to get an
address via DHCP and fails. Funny thing is that the underlying OS does
get an DHCP lease and I have the packet captures confirming it.

Here is what I see:

ACS:

02/11/2010 15:11:16 Authen OK dot1user Group 1 00-08-74-92-2C-0E 50018
10.100.100.4 LAB_NAC_L2_802.1X NAC-SAMPLE-HEALTHY-L2-RAC .. Healthy
Cisco:PA=Healthy Posture validation rule=NAC-SAMPLE-POSTURE-RULE;
'Cisco:PA:APT=Healthy' returned by: Evaluated by policy:
NAC-SAMPLE-CTA-POLICY Rule=1 43 EAP-FAST anonymous Cat4 .. 

Cat:

SEC-CAT4#sh dot1x interface g0/18 details 

Dot1x Info for GigabitEthernet0/18
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both 
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Enabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = (From Authentication Server)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

Dot1x Authenticator Client List
-------------------------------
Domain                    = DATA
Supplicant                = 0008.7492.2c0e
    Auth SM State         = AUTHENTICATED
          
    Auth BEND SM State    = IDLE
Port Status               = AUTHORIZED
ReAuthPeriod              = 36000
ReAuthAction              = Reauthenticate
TimeToNextReauth          = 35910
Authentication Method     = Dot1x
Posture                   = Healthy
Authorized By             = Authentication Server
Vlan Policy               = 200

SEC-CAT4#

DHCP Server:

*Feb 11 19:41:51.311: DHCPD: DHCPDISCOVER received from client
0100.0874.922c.0e through relay 10.20.20.1.
*Feb 11 19:41:51.311: DHCPD: Seeing if there is an internally specified
pool class:
*Feb 11 19:41:51.311:   DHCPD: htype 1 chaddr 0008.7492.2c0e
*Feb 11 19:41:51.311:   DHCPD: remote id 020a00000a64640521000000
*Feb 11 19:41:51.311:   DHCPD: circuit id 00000000
*Feb 11 19:41:51.311: DHCPD: Sending DHCPOFFER to client
0100.0874.922c.0e (10.20.20.201).
*Feb 11 19:41:51.311: DHCPD: Including FQDN option name
'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0
*Feb 11 19:41:51.311: DHCPD: unicasting BOOTREPLY for client
0008.7492.2c0e to relay 10.20.20.1.
*Feb 11 19:41:51.315: DHCPD: DHCPREQUEST received from client
0100.0874.922c.
0e.
*Feb 11 19:41:51.315: DHCPD: Sending notification of ASSIGNMENT:
*Feb 11 19:41:51.315:  DHCPD: address 10.20.20.201 mask 255.255.255.0
*Feb 11 19:41:51.315:   DHCPD: htype 1 chaddr 0008.7492.2c0e
*Feb 11 19:41:51.315:   DHCPD: lease time remaining (secs) = 86400
*Feb 11 19:41:51.315: DHCPD: Appending default domain from pool
*Feb 11 19:41:51.315: DHCPD: Using hostname 'RACK-XP2.ipexpert.com.' for
dynamic update (from FQDN option)
*Feb 11 19:41:51.315: DHCPD: Sending DHCPACK to client 0100.0874.922c.0e
(10.20.20.201).
*Feb 11 19:41:51.315: DHCPD: Including FQDN option name
'RACK-XP2.ipexpert.com.' rcode1=0, rcode2=0 flags=0x0
*Feb 11 19:41:51.315: DHCPD: unicasting BOOTREPLY for client
0008.7492.2c0e to relay 10.20.20.1.

Now the CTA client shows me a POP-Up window of "Healthy" and I do get a
DHCP lease, but the CTA does not see it and times out:

14:47:25.984    Port state transition to
AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_LOGOFF)
14:47:26.000    Port state transition to
AC_PORT_STATE_STOPPED(AC_PORT_STATUS_STOPPED)
14:47:28.078   Cisco Trust Agent 802.1X wired client   Connection
requested automatically from user context.
14:47:28.281    Connection authentication started using the logged in
user's credentials.
14:47:28.390    Port state transition to
AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:47:28.546    Port state transition to
AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:47:28.562    Identity has been requested from the network.
14:47:28.578    Identity has been sent to the network.
14:47:28.625    Authentication started using method type EAP-FAST, level
0
14:47:28.640    The server has requested using authentication type:
EAP-FAST
14:47:28.640    The client has requested using authentication type:
EAP-FAST
14:47:28.656   Validating the server.
14:47:28.937    Authentication started using method type EAP-GTC, level
1
14:47:28.937    The server has requested using authentication type:
EAP-GTC
14:47:28.937    The client has requested using authentication type:
EAP-GTC
14:47:28.953    Identity has been requested from the network.
14:47:28.968    Identity has been sent to the network.
14:47:31.062    Port state transition to
AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:47:31.062    The authentication process has succeeded.
14:47:42.859    Sending DHCP release request.
14:47:42.906    Sending DHCP renew request.
14:48:10.156    Sending DHCP renew request.
14:48:38.546    A failure occurred while trying to get an IP address
(-20:AC_ERR_SYSTEM)

Has anyone seen this before and have any ideas on how to troubleshoot?
Everything looks good from the CAT and ACS point of view. I have check
the logs for the CTA agent and the only thing is the timing out of DHCP.

Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com