Hmm ok that might make sense as I was following the VPN nac section in
the asa config guide, which to be honest was lacking in real detail.
I was using ras VPN on the asa.
The guide only really said to create the nac policy assign theradius
group and the assign the policy to the group policy of the tunnel.
It did look likeit was trying to work but eap responses were not being
received from the client.
Was there anything I was missing?
When I enabled clientless nac and set the user and password eou
clientless, eapoudp would fail and fallback to clientless which worked
fine.
Stu
Sent from my iPhone
On 3 Jul 2009, at 15:53, "Tyson Scott" <[email protected]> wrote:
Stuart,
I am not sure that is the completion of the configuration. I was
reading thru the Cisco Network Admission Control Volume II NAC
Framework and the configuration you have below is not the same.
Stuart,
What type of VPN tunnel are you using? SSL or Remote Access? What
does the rest of the configuration look like. Send a show run all
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
On Demand and Audio Certification Training Tools for the Cisco CCIE
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice
Lab and CCIE Storage Lab Certifications.
From: [email protected] [mailto:[email protected]
] On Behalf Of Stuart Hare
Sent: Thursday, July 02, 2009 4:08 PM
To: OSL Security; Cisco certification
Subject: [OSL | CCIE_Security] VPN with NAC on ASA
Ive been trying to NAC working through VPN on the ASA, but the
EAPoUDP just doesnt seem to communicate to the client.
Certificates are installed; VPN is establishing fine.
Communication to the ACS is fine as clientless authentication works.
Seems to be an issue with the CTA not responding, but not sure.
Any ideas??
Some output below:
Cheers
Stu
nac-policy NACPOL nac-framework
default-acl NAC_ACL
reval-period 36000
sq-period 300
authentication-server-group ACS
nac-policy NACPOL nac-framework
applied session count = 4
applied group-policy count = 1
group-policy list: DfltGrpPolicy
access-list NAC_ACL extended permit udp any any eq 21862
access-list NAC_ACL extended permit udp any any eq bootps
access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any
access-list NAC_ACL extended permit udp any host 10.1.1.100 eq radius
access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www
access-list NAC_ACL extended permit icmp any any
access-list NAC_ACL extended deny ip any any log
%ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1.
%ASA-6-334001: EAPoUDP association initiated - 10.20.20.1.
%ASA-7-609001: Built local-host identity:10.1.1.1
%ASA-6-302015: Built outbound UDP connection 387 for outside:10.20.20.1/21862
(10.20.20.1/21862) to identity:10.1.1.1/1024 (10.1.1.1/1024)
%ASA-7-609001: Built local-host outside:192.1.49.100
%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100,
Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2
NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1
%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100,
Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2
NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1
%ASA-6-302016: Teardown UDP connection 385 for outside:8.8.8.8/123
to inside:5.5.5.5/123 duration 0:02:01 bytes 136
%ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:02:01
%ASA-5-334006: EAPoUDP failed to get a response from host -
10.20.20.1.
%ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1.
%ASA-5-334005: Host put into NAC Hold state - 10.20.20.1.
%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100,
Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2
%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100,
Pitcher: received FILTER_UPDATE, spi 0x5f45c0a2
NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1
NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1
--
Stuart Hare
[email protected]
