ASA NAC

Unanswered Question
Apr 20th, 2007
User Badges:

Hello,

i have some problem with NAC ASA and CTA work.


Try to configure ASA to work with NAC.


Conditions:

VPN is connected and work fine (ping from local comp. to inside network via VPN)


CTA is installed and property work with wired 3750 (in NAC-L2-IP NAC-L2-Dot1x mode)


No log is append to CTA Log file, when connected to VPN (in wired L2-IP, there is new messages)


ACS is configured and work fine


ASA Configuration


ip local pool chernogorsky_pool 10.11.5.1-10.11.5.254 mask 255.255.255.0


nat (inside) 0 access-list chernogorsky_acl_nonat


tunnel-group chernogorsky_ipsec type ipsec-ra

tunnel-group chernogorsky_ipsec general-attributes

address-pool chernogorsky_pool

authentication-server-group chernogorsky_aaa

authorization-server-group chernogorsky_aaa

default-group-policy chernogorsky_group_policy

nac-authentication-server-group chernogorsky_aaa

tunnel-group chernogorsky_ipsec ipsec-attributes

pre-shared-key *


group-policy chernogorsky_group_policy internal

group-policy chernogorsky_group_policy attributes

dns-server value 10.0.0.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value chernogorsky_aclsplit

default-domain value jmp-lab.local

nac enable


aaa-server chernogorsky_aaa protocol radius

aaa-server chernogorsky_aaa (outside) host 10.0.0.1

key cisco



ACS Log (after VPN connection, and start EAP)

%ASA-6-334001: EAPoUDP association initiated - 10.11.5.1.

%ASA-5-334006: EAPoUDP failed to get a response from host - 10.11.5.1.



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vivek Santuka Mon, 04/23/2007 - 07:28
User Badges:
  • Cisco Employee,

Hi,


Please check if the CTA EOUDP service is running.


Regards,

Vivek

m_chernogorsky Mon, 04/23/2007 - 11:48
User Badges:

Yap, %=)

via wired connection all ok (802.1x, L2-IP mode), all work.


Actions

This Discussion