First check, the NAC is working with a router (NAC L3 IP). After conforming, then try with ASA.
ASA NAC is very simple. When the tunnel is up, ASA applies the default acl to the client and probes the client for CTA presence. If the client has the CTA, normal NAC authorization happens else clientless authorizes happen. With regards Kings On Thu, Aug 11, 2011 at 11:43 AM, Louis van Zyl - Business Connexion < [email protected]> wrote: > Hi Kingsley > > Thanks for the replies. I tested it last night at home with the ASA > running on GNS3 and it worked fine with the same config (I cut-and-pasted > it) on the ASA, my problems yesterday was on a real ASA. I used my laptop > with XP and a virtual XP machine and it worked with both > > My Setup: > > 1. Meetinghouse disabled on all interfaces. (CTA with supplicant > installed) > > 2. Split-tunnel ACL only has the VLAN on the inside of the ASA, not > the ASA’s outside interface > > 3. On GNS3 I have version 8.0.2 and on the real ASA in our lab on > 8.0.4 > > > > I will go try again with the real ASA a bit later. > > Louis > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* 11 August 2011 06:36 AM > > *To:* Louis van Zyl - Business Connexion > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config > > > > For me it worked without meeting house. Can you try enabling it on the > physical interface and see, if it's working. > > Before that on the Window's command prompt, type "net start" and see, if > CTA is running. > > > With regards > Kings > > On Wed, Aug 10, 2011 at 8:20 PM, Louis van Zyl - Business Connexion < > [email protected]> wrote: > > Hi Kingsley > > Yes I did have a split-acl, I changed that now to tunnelall. But I’m seeing > the same. The packet capture on my VPN interface shows traffic from the ASA > to my VPN assigned IP on udp 21862 but the PC isn’t responding. > > Should the Meetinghouse client be enabled on 1. the VPN adapter, and 2. On > the LAN adapter? > > Louis > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* 10 August 2011 03:53 PM > *To:* Louis van Zyl - Business Connexion > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config > > > > I guess, you are using split acl. If yes, you need to tune the split acl to > allow a specific traffic from the client in order for the ASA to detect the > CTA. Else configure the ASA for full tunneling, you can see that NAC is > working. > > To confirm that run wireshark on the VPN interface of the client and you > can see that the client is replying to the NAC requests from ASA. Remember, > that you can run wireshark on the vpn interface only when the tunnel is up. > > The reason is with split tunneling, the client response to the NAC response > may be not going in the tunnel. You need to make it to go through tunnel. > > Mostly the split tunnel should have an extra ACE permitting traffic to ASA > outside interface on which you have enabled crypto map. > > > With regards > Kings > > On Wed, Aug 10, 2011 at 6:42 PM, Louis van Zyl - Business Connexion < > [email protected]> wrote: > > Hi > > I'm testing NAC over EZVPN on an ASA. > > My problem is that my XP client keeps on saying that it doesn't have the > CTA installed. I have read a few other threads about this as well but still > no luck. > > > > I've installed the ACS's cert in the root store on XP using ctacert.exe > > I've tried enabling the meetinghouse client on the VPN adapter, and also > with it disabled. > > I've tried with CTA without the 802.1x supplicant as well. > > My PRE_NAC ACL has permit ip any any > > My ASA's outside interface has permit any any > > > > Any further suggestions? > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > ------------------------------ > > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1392 / Virus Database: 1520/3824 - Release Date: 08/09/11 > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice > > > ------------------------------ > > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1392 / Virus Database: 1520/3826 - Release Date: 08/10/11 > > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
