We terminate vpn users on an ASA. That is working. The problem is running the remote users through the NAC appliance while not checking other traffic. We have tried restricting all vpn users to a vlan to layer 3 with PBR. None of these options seem to work. What is the best way to run remote users through NAC before allowing access to the network??? Layer 3, Layer 2, InBand, Out of Band, or ???