I guess, you are using split acl. If yes, you need to tune the split acl to allow a specific traffic from the client in order for the ASA to detect the CTA. Else configure the ASA for full tunneling, you can see that NAC is working.
To confirm that run wireshark on the VPN interface of the client and you can see that the client is replying to the NAC requests from ASA. Remember, that you can run wireshark on the vpn interface only when the tunnel is up. The reason is with split tunneling, the client response to the NAC response may be not going in the tunnel. You need to make it to go through tunnel. Mostly the split tunnel should have an extra ACE permitting traffic to ASA outside interface on which you have enabled crypto map. With regards Kings On Wed, Aug 10, 2011 at 6:42 PM, Louis van Zyl - Business Connexion < [email protected]> wrote: > Hi > > I'm testing NAC over EZVPN on an ASA. > > My problem is that my XP client keeps on saying that it doesn't have the > CTA installed. I have read a few other threads about this as well but still > no luck. > > > > I've installed the ACS's cert in the root store on XP using ctacert.exe > > I've tried enabling the meetinghouse client on the VPN adapter, and also > with it disabled. > > I've tried with CTA without the 802.1x supplicant as well. > > My PRE_NAC ACL has permit ip any any > > My ASA's outside interface has permit any any > > > > Any further suggestions? > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
