A-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Appendix A Troubleshooting
Cisco IOS Issues
Cisco IOS Issues
Condition Recovery Action
The results of show eou all or
show eou ip
address
include
postures that do not match the
actual result of posture
validation or display “-------”
instead of a posture.
If the posture displayed is “-------”, the AAA client is not receiving
the posture-token attribute-value (AV) pair within a Cisco IOS/PIX
RADIUS cisco-av-pair vendor-specific attribute (VSA). If the
posture displayed does not correspond to the actual result of posture
validation, the AAA client is receiving an incorrect value in the
posture-token AV pair.
Check group mappings for Network Admission Control (NAC)
databases to verify that the correct user groups are associated with
each system posture token (SPT). In the user groups configured for
use with NAC, be sure that the Cisco IOS/PIX cisco-av-pair VSA is
configured correctly. For example, in a group configured to
authorize NAC clients receiving a Healthy SPT, be sure the
[009\001] cisco-av-pair check box is selected and that the
following string appears in the [009\001] cisco-av-pair text box:
posture-token=Healthy
Caution The posture-token AV pair is the only way that Cisco
Secure ACS notifies the AAA client of the SPT returned
by posture validation. Because you manually configure
the posture-token AV pair, errors in configuring
posture-token can result in the incorrect SPT being sent
to the AAA client or, if the AV pair name is mistyped, the
AAA client not receiving the SPT at all.
Note AV pair names are case sensitive.
For information about group mapping for NAC databases, see NAC
Group Mapping, page 16-13. For more information about the Cisco
IOS/PIX cisco-av-pair VSA, see About the cisco-av-pair RADUIS
Attribute, page C-7.