Stuart,
I am not sure that is the completion of the configuration. I was reading thru the Cisco Network Admission Control Volume II NAC Framework and the configuration you have below is not the same. Stuart, What type of VPN tunnel are you using? SSL or Remote Access? What does the rest of the configuration look like. Send a show run all Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Hare Sent: Thursday, July 02, 2009 4:08 PM To: OSL Security; Cisco certification Subject: [OSL | CCIE_Security] VPN with NAC on ASA Ive been trying to NAC working through VPN on the ASA, but the EAPoUDP just doesnt seem to communicate to the client. Certificates are installed; VPN is establishing fine. Communication to the ACS is fine as clientless authentication works. Seems to be an issue with the CTA not responding, but not sure. Any ideas?? Some output below: Cheers Stu nac-policy NACPOL nac-framework default-acl NAC_ACL reval-period 36000 sq-period 300 authentication-server-group ACS nac-policy NACPOL nac-framework applied session count = 4 applied group-policy count = 1 group-policy list: DfltGrpPolicy access-list NAC_ACL extended permit udp any any eq 21862 access-list NAC_ACL extended permit udp any any eq bootps access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any access-list NAC_ACL extended permit udp any host 10.1.1.100 eq radius access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www access-list NAC_ACL extended permit icmp any any access-list NAC_ACL extended deny ip any any log %ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1. %ASA-6-334001: EAPoUDP association initiated - 10.20.20.1. %ASA-7-609001: Built local-host identity:10.1.1.1 %ASA-6-302015: Built outbound UDP connection 387 for outside:10.20.20.1/21862 (10.20.20.1/21862) to identity:10.1.1.1/1024 (10.1.1.1/1024) %ASA-7-609001: Built local-host outside:192.1.49.100 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 %ASA-6-302016: Teardown UDP connection 385 for outside:8.8.8.8/123 to inside:5.5.5.5/123 duration 0:02:01 bytes 136 %ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:02:01 %ASA-5-334006: EAPoUDP failed to get a response from host - 10.20.20.1. %ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1. %ASA-5-334005: Host put into NAC Hold state - 10.20.20.1. %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2 NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 -- Stuart Hare [email protected]
