Remote Access IPSec Tunnel from an Agentless Client

After successfully testing the VPN tunnel, the next step is to configure NAC on the security appliance and then connect from the same test VPN client without installing the CTA agent. This emulates an agentless VPN client scenario. The security appliance enables you to set up NAC logging and/or NAC debugging. NAC logging enables you to capture EAPoUDP, EAP, and NAC events such as EAP status query, posture-validation initializations and revalidations, exception list matches, ACS transactions, clientless authentications, and default ACL applications.

NAC debugging is useful if you want to gather detailed NAC-specific events such as the hexadecimal dump of EAP header and packet contents, EAPoUDP header and packet contents, EAPoUDP session-state changes, and timer events.

Example 7-36 illustrates how to enable NAC logging on a security appliance. An event list, called NAC, is defined to log the nac, eapoudp, and eap classes. The logging level is set as debugging. The NAC logs are sent to the internal buffer of the security appliance.

Example 7-36 Enabling NAC Logging on a Security Appliance

CiscoASA(config)#

logging

enable

CiscoASA(config)#

logging

list NAC

level

debugging

class

nac

CiscoASA(config)#

logging

list NAC

level

debugging

class

eapoudp

CiscoASA(config)#

logging

list NAC

level

debugging

class

eap

CiscoASA(config)#

logging

buffered

NAC

NOTE It is a best practice to send the log messages to an external syslog server for forensics and later analysis.

When NAC logging is turned on, establish an IPSec session from the VPN client that is clientless. As shown in Example 7-37, as soon as IKE Phase 2 negotiations are completed, the security appliance initiates the NAC process for 10.10.200.1. It applies a default ACL called Default-Filter on the VPN user session until the correct posture is determined.

This test scenario assumes that you are not running the CTA application on the VPN client. Consequently, the security appliance fails to receive a response from the host. The security appliance times out the request and sends an authentication request to the RADIUS server for the clientless user. If the RADIUS server authenticates this user, it sends a downloadable ACL, ACSACL#-IP-Clientless_ACL-4470a5d3, to the security appliance. Based on the access-control entries, the user gets limited access on the network.

Example 7-37 NAC Logs for Clientless Agents

CiscoASA(config)# show logging

<some output removed>

%ASA-6-335001

NAC session initialized - 10.10.200.1.

%ASA-5-335003

NAC Default ACL applied, ACLiNAC-default - 10.10.200.1

%ASA-6-334001

EAPoUDP association initiated - 10.10.200.1.

%ASA-5-334006

EAPoUDP failed to get a response from host - 10.10.200

1.

%ASA-6-334004

Authentication request for NAC Clientless host - 10.10

0

%ASA-6-335006

NAC Applying ACL:#ACSACL#-IP-Clientless_ACL-4470a5d3 -

10.10.200.1.

Alternatively, you can enable the appropriate debugs to troubleshoot issues related to NAC. Example 7-38 shows the recommended debugs on a security appliance for NAC troubleshooting.

Example 7-38 Enabling NAC Logging on a Security Appliance

CiscoASA#

debug

nac

auth

CiscoASA#

debug

nac

errors

CiscoASA#

debug

nac

events

CiscoASA#

debug

eou

eap

CiscoASA#

debug

eou

errors

CiscoASA#

debug

eou

events

As shown in Example 7-39, the security appliance applies NAC-Default ACL when it initiates a NAC session. It tries to determine whether CTA is active on the VPN client. The EAPoUDP queries time out and the security appliance initiates clientless authentication for the VPN client. The RADIUS server sends an Access-Accept message if clientless authentication is successful.

Example 7-39 Enabling NAC Debugs for Clientless Hosts

Example 7-39 Enabling NAC Debugs for Clientless Hosts

Was this article helpful?

0 0

Post a comment