I have some problems with vpn3000/NAC. For authentication I use ACS v3.3., users have configured downloadable IP ACLs. All works fine, if there is not default Accsess list configured on VPN3000/NAC tab, which allow EAPoUDP communication between the VPN Concentrator and the client. As soon as default ACL on VPN3000 NAC tab is configured, downloadable IP ACLs are not applied to users after NAC posture validation. Instead NAC default list is active during session.