Ive been trying to NAC working through VPN on the ASA, but the EAPoUDP just doesnt seem to communicate to the client.
Certificates are installed; VPN is establishing fine. Communication to the ACS is fine as clientless authentication works. Seems to be an issue with the CTA not responding, but not sure. Any ideas?? Some output below: Cheers Stu nac-policy NACPOL nac-framework default-acl NAC_ACL reval-period 36000 sq-period 300 authentication-server-group ACS nac-policy NACPOL nac-framework applied session count = 4 applied group-policy count = 1 group-policy list: DfltGrpPolicy access-list NAC_ACL extended permit udp any any eq 21862 access-list NAC_ACL extended permit udp any any eq bootps access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any access-list NAC_ACL extended permit udp any host 10.1.1.100 eq radius access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www access-list NAC_ACL extended permit icmp any any access-list NAC_ACL extended deny ip any any log *%ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1. %ASA-6-334001: EAPoUDP association initiated - 10.20.20.1.* %ASA-7-609001: Built local-host identity:10.1.1.1 %ASA-6-302015: Built outbound UDP connection 387 for outside: 10.20.20.1/21862 (10.20.20.1/21862) to identity:10.1.1.1/1024 (10.1.1.1/1024 ) %ASA-7-609001: Built local-host outside:192.1.49.100 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 %ASA-6-302016: Teardown UDP connection 385 for outside:8.8.8.8/123 to inside:5.5.5.5/123 duration 0:02:01 bytes 136 %ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:02:01 *%ASA-5-334006: EAPoUDP failed to get a response from host - 10.20.20.1. %ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1. %ASA-5-334005: Host put into NAC Hold state - 10.20.20.1. *%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 -- Stuart Hare [email protected]
