NAC Clientless problem task 5.6
I have the same problem on http://ieoc.com/forums/t/2333.aspx but I don't see any response from instructors.
I checked service on CTA client and listen on UDP 21862, but ASA can't query information
ASA1(config)# SHOW VPN-sessiondb REmote
Session Type: Remote
Username : IPSECUSER
Index : 1
Assigned IP : 10.105.105.1 Public IP : 174.1.255.200
Protocol : IPSec Encryption : 3DES
Hashing : MD5
Bytes Tx : 144 Bytes Rx : 2050
Client Type : WinNT Client Ver : 5.0.02.0090
Group Policy : GROUP_POLICY
Tunnel Group : IPSECGROUP
Login Time : 16:38:23 UTC Mon Mar 24 2008
Duration : 0h:00m:12s
Filter Name : EAPoUDP
NAC Result : Holdoff <========
Posture Token:
Configuration looks suitable on the ASA, and have confirmed on the ACS that authentication is successfully passing:
ASA1(config)# show run tunnel-g
tunnel-group IPSECGROUP type ipsec-ra
tunnel-group IPSECGROUP general-attributes
address-pool MYPOOL
authentication-server-group RADIUS
default-group-policy GROUP_POLICY
nac-authentication-server-group RADIUS
tunnel-group IPSECGROUP ipsec-attributes
pre-shared-key *
ASA1(config)# show run group-po
group-policy GROUP_POLICY internal
group-policy GROUP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
nac enable
nac-default-acl value EAPoUDP
vpn-nac-exempt os Linux
vpn-nac-exempt os "Windows 98" filter WINDOWS98
group-policy EzVPN internal
Debugs on the ASA just show me:
ASA1(config)# NAC default acl EAPoUDP applied - 10.105.105.1
NAC clientless Access Request successful - 10.105.105.1
NAC Clientless Access Reject - 10.105.105.1
NAC default acl EAPoUDP applied - 10.105.105.1
Comments
It looks like you are running Cisco VPN client on your host PC. Can you run a wireshark analyzer on the PC, and confirm that the return EAPoUDP packets are actually encrypted by the VPN tunnel? I've seen this issue a few times and usually it was due to the fact the the VPN client had problems with split-tunnel ACL and EAPoUDP traffic. If you're working in your home lab, try disabling split-tunneling at all.
I use GraceLabs do it for Full Lab 3. When using Ethereal have packets request from ASA1, but don't have any respond from CTA.
I try disable split-tunneling but doesn't sovle this problem. I show routing table and log on VPN Client below. How can I correct this.
Thanks.
[URL=http://img98.imageshack.us/my.php?image=ccie1nz9.jpg][IMG]http://img98.imageshack.us/img98/2448/ccie1nz9.th.jpg[/IMG][/URL]
[URL=http://img375.imageshack.us/my.php?image=ccie2ma7.jpg][IMG]http://img375.imageshack.us/img375/4221/ccie2ma7.th.jpg[/IMG][/URL]
[URL=http://img401.imageshack.us/my.php?image=ccie3be0.jpg][IMG]http://img401.imageshack.us/img401/4692/ccie3be0.th.jpg[/IMG][/URL]
[URL=http://img378.imageshack.us/my.php?image=ccie4iz0.jpg][IMG]http://img378.imageshack.us/img378/5905/ccie4iz0.th.jpg[/IMG][/URL]
[URL=http://img522.imageshack.us/my.php?image=ccie5ep8.jpg][IMG]http://img522.imageshack.us/img522/7624/ccie5ep8.th.jpg[/IMG][/URL]
[URL=http://img75.imageshack.us/my.php?image=ccie6fg3.jpg][IMG]http://img75.imageshack.us/img75/2232/ccie6fg3.th.jpg[/IMG][/URL]
[URL=http://img68.imageshack.us/my.php?image=ccie7sc0.jpg][IMG]http://img68.imageshack.us/img68/4968/ccie7sc0.th.jpg[/IMG][/URL]
[URL=http://img59.imageshack.us/my.php?image=ccie8nl8.jpg][IMG]http://img59.imageshack.us/img59/820/ccie8nl8.th.jpg[/IMG][/URL]
You see, for some reason ASA sources EAPoUDP packets from 174.1.123.12 IP address, which is not under split tunnel. I guess the packet trace is done over VPN virtual network adapter, and you CAN'T see packets coming back. If you would sniff on the physical interface, you will probably see packets going back unencrypted. The only way I made it work back in days is by manually putting the subnet in split tunnel list or disabling split tunneling at all. However, from the prospective of the Security Lab exam, NAC topic does not worth much effors, for they still dont test it. Probably in the revised exam they will use NAC appliance implementation which is more mature and stable.