5.6: Problem getting posture to work

Hi All,

Hoping someone can help explain why "holdoff" is listed as the posture when connecting with the VPN client:

ASA1(config)# SHOW VPN-sessiondb REmote

Session Type: Remote

Username : IPSECUSER
Index : 1
Assigned IP : 10.105.105.1 Public IP : 174.1.255.200
Protocol : IPSec Encryption : 3DES
Hashing : MD5
Bytes Tx : 144 Bytes Rx : 2050
Client Type : WinNT Client Ver : 5.0.02.0090
Group Policy : GROUP_POLICY
Tunnel Group : IPSECGROUP
Login Time : 16:38:23 UTC Mon Mar 24 2008
Duration : 0h:00m:12s
Filter Name : EAPoUDP
NAC Result : Holdoff <========
Posture Token:

Configuration looks suitable on the ASA, and have confirmed on the ACS that authentication is successfully passing:

ASA1(config)# show run tunnel-g
tunnel-group IPSECGROUP type ipsec-ra
tunnel-group IPSECGROUP general-attributes
address-pool MYPOOL
authentication-server-group RADIUS
default-group-policy GROUP_POLICY
nac-authentication-server-group RADIUS
tunnel-group IPSECGROUP ipsec-attributes
pre-shared-key *

ASA1(config)# show run group-po
group-policy GROUP_POLICY internal
group-policy GROUP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
nac enable
nac-default-acl value EAPoUDP
vpn-nac-exempt os Linux
vpn-nac-exempt os "Windows 98" filter WINDOWS98
group-policy EzVPN internal

Under the Posture Validation section of the Network Access Profile, it looks just as per the answer key on page 137, with Healthy and Quarantine as the two postures - Quarantine is the default so I cannot see why one of them would not apply to the client.

Debugs on the ASA just show me:

ASA1(config)# NAC default acl EAPoUDP applied - 10.105.105.1
NAC clientless Access Request successful - 10.105.105.1
NAC Clientless Access Reject - 10.105.105.1
NAC default acl EAPoUDP applied - 10.105.105.1

Everything else is as per the answer key as far as I can see.

Any thoughts..
Sign In or Register to comment.