In the end it seems my problem was with the ACS certificate, if I generate a cert with key-length 2048 (the default) my NAC doesn't work with the ASA + EZVPN even though my NAC worked with L2-IP and L2-802.1x. With a ACS cert with key-length 1024 my NAC work with the ACS
From: Kingsley Charles [mailto:[email protected]] Sent: 11 August 2011 08:43 AM To: Louis van Zyl - Business Connexion Cc: [email protected] Subject: Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config First check, the NAC is working with a router (NAC L3 IP). After conforming, then try with ASA. ASA NAC is very simple. When the tunnel is up, ASA applies the default acl to the client and probes the client for CTA presence. If the client has the CTA, normal NAC authorization happens else clientless authorizes happen. With regards Kings On Thu, Aug 11, 2011 at 11:43 AM, Louis van Zyl - Business Connexion <[email protected]<mailto:[email protected]>> wrote: Hi Kingsley Thanks for the replies. I tested it last night at home with the ASA running on GNS3 and it worked fine with the same config (I cut-and-pasted it) on the ASA, my problems yesterday was on a real ASA. I used my laptop with XP and a virtual XP machine and it worked with both My Setup: 1. Meetinghouse disabled on all interfaces. (CTA with supplicant installed) 2. Split-tunnel ACL only has the VLAN on the inside of the ASA, not the ASA's outside interface 3. On GNS3 I have version 8.0.2 and on the real ASA in our lab on 8.0.4 I will go try again with the real ASA a bit later. Louis From: Kingsley Charles [mailto:[email protected]<mailto:[email protected]>] Sent: 11 August 2011 06:36 AM To: Louis van Zyl - Business Connexion Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config For me it worked without meeting house. Can you try enabling it on the physical interface and see, if it's working. Before that on the Window's command prompt, type "net start" and see, if CTA is running. With regards Kings On Wed, Aug 10, 2011 at 8:20 PM, Louis van Zyl - Business Connexion <[email protected]<mailto:[email protected]>> wrote: Hi Kingsley Yes I did have a split-acl, I changed that now to tunnelall. But I'm seeing the same. The packet capture on my VPN interface shows traffic from the ASA to my VPN assigned IP on udp 21862 but the PC isn't responding. Should the Meetinghouse client be enabled on 1. the VPN adapter, and 2. On the LAN adapter? Louis From: Kingsley Charles [mailto:[email protected]<mailto:[email protected]>] Sent: 10 August 2011 03:53 PM To: Louis van Zyl - Business Connexion Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config I guess, you are using split acl. If yes, you need to tune the split acl to allow a specific traffic from the client in order for the ASA to detect the CTA. Else configure the ASA for full tunneling, you can see that NAC is working. To confirm that run wireshark on the VPN interface of the client and you can see that the client is replying to the NAC requests from ASA. Remember, that you can run wireshark on the vpn interface only when the tunnel is up. The reason is with split tunneling, the client response to the NAC response may be not going in the tunnel. You need to make it to go through tunnel. Mostly the split tunnel should have an extra ACE permitting traffic to ASA outside interface on which you have enabled crypto map. With regards Kings On Wed, Aug 10, 2011 at 6:42 PM, Louis van Zyl - Business Connexion <[email protected]<mailto:[email protected]>> wrote: Hi I'm testing NAC over EZVPN on an ASA. My problem is that my XP client keeps on saying that it doesn't have the CTA installed. I have read a few other threads about this as well but still no luck. I've installed the ACS's cert in the root store on XP using ctacert.exe I've tried enabling the meetinghouse client on the VPN adapter, and also with it disabled. I've tried with CTA without the 802.1x supplicant as well. My PRE_NAC ACL has permit ip any any My ASA's outside interface has permit any any Any further suggestions? This e-mail and its contents are subject to the Business Connexion (Pty) Ltd. E-mail legal notice _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1392 / Virus Database: 1520/3824 - Release Date: 08/09/11 This e-mail and its contents are subject to the Business Connexion (Pty) Ltd. E-mail legal notice ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1392 / Virus Database: 1520/3826 - Release Date: 08/10/11 This e-mail and its contents are subject to the Business Connexion (Pty) Ltd. E-mail legal notice ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1392 / Virus Database: 1520/3826 - Release Date: 08/10/11 This e-mail and its contents are subject to the Business Connexion (Pty) Ltd. E-mail legal notice
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
