Cisco ACS 4.x and 802.1x - layer 2 NAC

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
We are working on a couple of lab experiments with layer-2 NAC. We have a W2K3 set of servers. One is the AD, one an enterprise CA (MS), and one is a 4.1 Cisco ACS. I think the switches are 3600s. We are currently using the XP SP2 Microsoft supplicant. I have the AD passing the computer cert to the clients and the ACS authorizes the clients. But, if I add the Certificate Revocation List to the ACS parameters, the ACS will no longer work right (switch shows Unauthorized). The certs are valid and passed until we turned on CRL. We turned on CRL because the ACS caches the certs and if they get revoked, the ACS still thinks they are valid.

We are just starting to work it with Cisco, but I wanted to see if there was another opinion on what might be the issue. I had to use the URL to get the CRL in the settings for ACS.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Honestly, I'd open a TAC case.

It can get so convoluted and difficult with so many layers of security. Does sound like a certificate problem or a setup problem on the ACS server. Or try forum.cisco.com.

 

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
We plan to. I was just probing here as we have a couple of folks on the edge.