Tyson, I have re-labbed this up today in pod106 (using 5A initial cfgs as the baseline) and it worked first time no problem so must have been an issue with the CTA on POD118. I have had a few issues with CTA where drew or ryan have had to reinstall it for me, so not surprised.
In terms of the nac config on the ASA it looks like the majority of the old nac commands have been deprecated in this v8 code. All you can really do now is configure the nac policy and apply it to the group policy for the tunnel group. R5 was the CA/NTP Server, on the ACS I used PEAP posture validation with EAP-Fast. I cant really find any decent examples in the docs, so this has been a little trial and error. Im not entirely sure on the default acl entries, and the need for eapoudp / bootp / radius for instance, but i stuck to the same principles as I would with IOS just in case. You never actually see any hits on these acl though, except the explicit deny. access-list NAC_ACL extended permit udp any any eq 21862 access-list NAC_ACL extended permit udp any any eq bootps access-list NAC_ACL extended permit icmp any any access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www access-list NAC_ACL extended deny ip any any log dynamic-access-policy-record DfltAccessPolicy aaa-server ACS protocol radius aaa-server ACS (inside) host 10.1.1.100 timeout 5 key ipexpert nac-policy NAC nac-framework default-acl NAC_ACL reval-period 36000 sq-period 300 authentication-server-group ACS group-policy RAS_GP attributes vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLTUN nac-settings value NAC address-pools value VPN tunnel-group DefaultRAGroup general-attributes address-pool VPN default-group-policy RAS_GP ASA Cfg is attached for reference, it contains some random webvpn stuff i was playing with as well so excuse the mess :-) Incidently the same configuration was used for Anyconnect WEBVPN NAC as well. On a side note I had one small issue with Webvpn on the ASA, and that was tunnel group list for the login page. Although it was enabled under the webvpn configuration mode, tunnel group lists were never displayed only the username and password. Any ideas???? Anyway hopefully this may help someone else in the process. Stu On Fri, Jul 3, 2009 at 3:53 PM, Tyson Scott <[email protected]> wrote: > Stuart, > > > > I am not sure that is the completion of the configuration. I was reading > thru the Cisco Network Admission Control Volume II NAC Framework and the > configuration you have below is not the same. > > > > Stuart, > > > > What type of VPN tunnel are you using? SSL or Remote Access? What does > the rest of the configuration look like. Send a show run all > > > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Stuart Hare > *Sent:* Thursday, July 02, 2009 4:08 PM > *To:* OSL Security; Cisco certification > *Subject:* [OSL | CCIE_Security] VPN with NAC on ASA > > > > > Ive been trying to NAC working through VPN on the ASA, but the EAPoUDP > just doesnt seem to communicate to the client. > > > > Certificates are installed; VPN is establishing fine. > > Communication to the ACS is fine as clientless authentication works. > > > > Seems to be an issue with the CTA not responding, but not sure. > > > > Any ideas?? > > Some output below: > > > > Cheers > > Stu > > > > > > > > > > nac-policy NACPOL nac-framework > default-acl NAC_ACL > reval-period 36000 > sq-period 300 > authentication-server-group ACS > > > > nac-policy NACPOL nac-framework > applied session count = 4 > applied group-policy count = 1 > group-policy list: DfltGrpPolicy > > > > access-list NAC_ACL extended permit udp any any eq 21862 > access-list NAC_ACL extended permit udp any any eq bootps > access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any > access-list NAC_ACL extended permit udp any host 10.1.1.100 eq radius > access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www > access-list NAC_ACL extended permit icmp any any > access-list NAC_ACL extended deny ip any any log > > > > *%ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1.** > %ASA-6-334001: EAPoUDP association initiated - 10.20.20.1.* > %ASA-7-609001: Built local-host identity:10.1.1.1 > %ASA-6-302015: Built outbound UDP connection 387 for outside: > 10.20.20.1/21862 (10.20.20.1/21862) to identity:10.1.1.1/1024 ( > 10.1.1.1/1024) > %ASA-7-609001: Built local-host outside:192.1.49.100 > %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: > received FILTER_UPDATE, spi 0x5f45c0a2 > NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 > %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: > received FILTER_UPDATE, spi 0x5f45c0a2 > NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 > %ASA-6-302016: Teardown UDP connection 385 for outside:8.8.8.8/123 to > inside:5.5.5.5/123 duration 0:02:01 bytes 136 > %ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:02:01 > *%ASA-5-334006: EAPoUDP failed to get a response from host - 10.20.20.1.** > %ASA-5-335003: NAC Default ACL applied, ACL:NAC_ACL - 10.20.20.1. > %ASA-5-334005: Host put into NAC Hold state - 10.20.20.1. > *%ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: > received FILTER_UPDATE, spi 0x5f45c0a2 > %ASA-7-715077: Group = RAS, Username = cisco, IP = 192.1.49.100, Pitcher: > received FILTER_UPDATE, spi 0x5f45c0a2 > NAC-FRAMEWORK default acl NAC_ACL applied - 10.20.20.1 > NAC-FRAMEWORK updated SSL session management entry - 10.20.20.1 > -- > Stuart Hare > > [email protected] > > -- Stuart Hare [email protected]
sh run : Saved : ASA Version 8.0(4) ! hostname ASA1 domain-name ipexpert.com enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.1.24.10 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.2.2.10 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name ipexpert.com access-list OUT extended permit ip any any access-list STUNNEL extended permit ip any 10.0.0.0 255.0.0.0 access-list SPLTUN standard permit 10.1.1.0 255.255.255.0 access-list SPLTUN standard permit 10.2.2.0 255.255.255.0 access-list NAC_ACL extended permit udp any any eq 21862 access-list NAC_ACL extended permit udp any any eq bootps access-list NAC_ACL extended permit icmp any any access-list NAC_ACL extended permit udp host 10.1.1.100 eq radius any access-list NAC_ACL extended permit tcp any host 8.8.8.8 eq www access-list NAC_ACL extended deny ip any any log pager lines 24 logging enable logging buffer-size 9999 logging buffered debugging mtu outside 1500 mtu inside 1500 ip local pool VPN 10.2.2.50-10.2.2.90 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/ASDM-615.BIN no asdm history enable arp timeout 14400 access-group OUT in interface outside ! router ospf 1 network 10.2.2.0 255.255.255.0 area 0 network 192.1.24.0 255.255.255.0 area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server ACS protocol radius aaa-server ACS (inside) host 10.1.1.100 timeout 5 key ipexpert aaa-server LDAP protocol ldap aaa-server LDAP (inside) host 10.1.1.100 timeout 5 server-type auto-detect nac-policy NAC nac-framework default-acl NAC_ACL reval-period 36000 sq-period 300 authentication-server-group ACS no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TS esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DCM 65000 set transform-set TS crypto dynamic-map DCM 65000 set security-association lifetime seconds 28800 crypto dynamic-map DCM 65000 set security-association lifetime kilobytes 4608000 crypto dynamic-map DCM 65000 set reverse-route crypto map CRM 65000 ipsec-isakmp dynamic DCM crypto map CRM interface outside crypto ca trustpoint R5 enrollment url http://5.5.5.5:80/cgi-bin/pkiclient.exe crl configure crypto ca certificate chain R5 certificate 04 3082021f 30820188 a0030201 02020104 300d0609 2a864886 f70d0101 04050030 1a311830 16060355 0403130f 52352e69 70657870 6572742e 636f6d30 1e170d30 39303730 34313432 3930335a 170d3130 30373034 31343239 30335a30 22312030 1e06092a 864886f7 0d010902 16114153 41312e69 70657870 6572742e 636f6d30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 ef85c74c b70567f3 5dffb03b 5e7ade2c 334c51cf 76ef28e9 5b3250ea ba8ae7ec 1b0a270a ffb8636b b67df37e 3ca0e1d4 6f62d066 ade61f6c dc5c7fea 8435ca60 0ab48c14 890f1294 dc84bb0f cb926462 e5e106a2 29f4400b b6a34b79 dd003da7 7cad9f56 a5fdc596 6f94704c c17f1c7b 7226685a 0000aed5 032fc7a4 7cf60b35 02030100 01a36d30 6b301c06 03551d11 04153013 82114153 41312e69 70657870 6572742e 636f6d30 0b060355 1d0f0404 030205a0 301f0603 551d2304 18301680 14a4f8ab b86a4c76 02c05b7d a39b2119 3ec35a25 88301d06 03551d0e 04160414 c956fb30 4ff9260a 66b58215 1311ef4f 1837c3f3 300d0609 2a864886 f70d0101 04050003 8181008d 2ead2cb7 58245160 cb0b9340 c802403b 83943a79 cd2a9e98 de2d0044 c718c114 06c90007 6e6baeb5 8c93a8f4 99ca83e7 94197e82 0464ab12 58cbd836 0bd116fd 01552473 d84ac26c dcd0efaf 35395591 1e1ec759 9d466f65 6860a89b 9a14d054 c7b155b7 6b48291d cbc12669 a774ad52 37a4f860 8263f955 444431bb b1cc7c quit certificate ca 01 3082020d 30820176 a0030201 02020101 300d0609 2a864886 f70d0101 04050030 1a311830 16060355 0403130f 52352e69 70657870 6572742e 636f6d30 1e170d30 39303730 34313333 3035315a 170d3132 30373033 31333330 35315a30 1a311830 16060355 0403130f 52352e69 70657870 6572742e 636f6d30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 d93a3dea 55be6b2e ef8430fe 3420694e 037fc404 ba78b28a 8363e012 227e5077 f45c49af 6e44629f c5d29bcb 5b144e02 ef7e6d8c 750681b9 850759f9 9b4e8185 d8862c1f 32254424 8d726f04 23036e5d 8f5d80de 7ea865c7 44740233 0cb7145e c9836346 25812e25 862e3d6c 8c45a345 2df32c53 52514062 8c1e8aca f0d008ad 02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302 0186301f 0603551d 23041830 168014a4 f8abb86a 4c7602c0 5b7da39b 21193ec3 5a258830 1d060355 1d0e0416 0414a4f8 abb86a4c 7602c05b 7da39b21 193ec35a 2588300d 06092a86 4886f70d 01010405 00038181 00150b04 385764ca fbe2eba4 db594d2b 1b87853d 42b1deef d8989d35 4ed7a684 2c86550b c755816b 446d2c05 dbe9b8f7 415a8d14 1ce92f11 fa166858 0ea39128 0dbb2896 70904648 98caa3b4 f17498d0 c257c3c5 5188efa6 76be82f6 84832ad6 63a607b8 eedaaf64 305b18e3 72170242 3b8f78a0 559f6ef3 d5a49959 4d2052a1 32 quit crypto isakmp enable outside crypto isakmp policy 65000 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authentication-key 1 md5 * ntp authenticate ntp trusted-key 1 ntp server 5.5.5.5 key 1 webvpn enable outside svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1 svc enable port-forward PF_23 23000 5.5.5.5 telnet Telnet_TO_R5 tunnel-group-list enable smart-tunnel list apps CommandPrompt cmd.exe group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLTUN nac-settings value NAC address-pools value VPN webvpn port-forward name PF_23 port-forward enable PF_23 group-policy RAS_GP internal group-policy RAS_GP attributes vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLTUN nac-settings value NAC address-pools value VPN webvpn port-forward name PF_23 port-forward enable PF_23 svc keep-installer installed username cisco password 3USUcOPFUiMCO4Jk encrypted tunnel-group DefaultRAGroup general-attributes address-pool VPN default-group-policy RAS_GP tunnel-group DefaultRAGroup ipsec-attributes trust-point R5 tunnel-group DefaultWEBVPNGroup general-attributes tunnel-group RAS type remote-access tunnel-group RAS general-attributes address-pool VPN default-group-policy RAS_GP tunnel-group RAS ipsec-attributes trust-point R5 ! class-map inspection_default match default-inspection-traffic ! prompt hostname context Cryptochecksum:76022109b2766e8345be26481bdc4d26 : end ASA1# ASA1# ASA1# ASA1#
