Chapter 7: Configuring NAC on Cisco ASA and PIX Security Appliances

Cisco Press

1 2 3 4 Page 4
Page 4 of 4

As shown in Example 7-39, the security appliance applies NAC-Default ACL when it initiates a NAC session. It tries to determine whether CTA is active on the VPN client. The EAPoUDP queries time out and the security appliance initiates clientless authentication for the VPN client. The RADIUS server sends an Access-Accept message if clientless authentication is successful.

Example 7-39   Enabling NAC Debugs for Clientless Hosts

NAC default acl NAC-default applied - association initiated - response timer expiry - response timer expiry - response timer expiry - failed to get a response from the host - clientless Access Request successful - Authentication request for NAC Clientless host - Clientless Access Accept -

Remote-Access IPSec Tunnel from a CTA Client

If the "remote-access IPSec tunnel from an agentless client" test scenario is successful, the next test case is to install the CTA application on the VPN client and go through the posture-validation process on the security appliance. After establishing the IPSec SAs, the security appliance initiates the EAPoUDP process. If an EAPoUDP response is received from the VPN client, the security appliance knows that the VPN client is actively running the CTA service.

If you enable the debugs suggested in Example 7-37, the security appliance generates NAC-specific messages. As illustrated in Example 7-40, the security appliance initiates an EAPoUDP association. It receives a response from the VPN client and starts the posture-validation process. CTA forwards the host name and username of the client machine—SECUREME:Adminsitrator, in this example—through EAP. The security appliance receives the system posture token of Healthy from the RADIUS server and assigns it to the host machine.

Example 7-40   NAC Debugs for CTA-Enabled VPN Client

NAC default acl NAC-default applied - association initiated - response received from host - EAP association initiated -, EAP context:0x0463c490NAC EAP Access Accept - EAP Access Accept -, user:SECUREME:AdministratorNAC EAP Access Accept -, Reval Period:36000 secondsNAC Access Accept -, Posture Token:HealthyNAC Access Accept -, Status Query Period:300 secondsNAC PV complete -, posture:HealthyEAPoUDP association successfully established -

After successfully testing the client posture, you are ready to start deploying NAC in your VPN environment. The CTA software can be distributed to the VPN client machines so that they can be assigned a correct posture based on their machine state.

Monitoring of NAC Sessions

You can use several show commands to monitor and report the state of NAC sessions. The show vpn-sessiondb remote command is one of the most commonly used because it displays IPSec as well as NAC statistics of all the VPN clients. As shown in Example 7-41, the session type is remote for remote-access tunnel, and the VPN username is ciscouser. The assigned IP address is and the public IP address is The security appliance has transmitted 15,790 bytes and has received 6,179 bytes. The NAC result was accepted by the RADIUS server, and a system posture token of Healthy is assigned to this user. The RADIUS server assigned a downloadable ACL called IP-NAC_HEALTHY_ACL-43c0876e.

Example 7-41   Output of show vpn-sessiondb remote

CiscoASA# show vpn-sessiondb remoteSession Type: RemoteUsername     : ciscouserIndex        : 1Assigned IP  :      Public IP   :     : IPSec            Encryption  : 3DESHashing      : SHA1Bytes Tx     : 15790            Bytes Rx    : 6179Client Type  : WinNT            Client Ver  : Policy : SecureMeGrpTunnel Group : NAC-GroupLogin Time   : 03:23:16 UTC Wed Aug 2 2006Duration     : 0h:28m:13sFilter Name  : #ACSACL#-IP-NAC_HEALTHY_ACL-43c0876eNAC Result   : AcceptedPosture Token: Healthy

You can also use ASDM to monitor the IPSec and NAC session on the security appliance. Navigate to Monitoring > VPN > VPN Statistics > Sessions to check the NAC result and system posture token assigned to a user, as shown in Figure 7-7.

Figure 7-7

IPSec and NAC Monitoring in ASDM

If you would rather get detailed information about a particular EAPoUDP session, you can use the show vpn-sessiondb detail index command followed by an index number to see a detailed connection of the host you are interested in. Example 7-42 shows the output of show vpn-sessiondb detail index 1 to get detailed connection information about ciscouser. The index number is a local ID assigned to the user. Using this command, the security appliance can provide information about the EAPoUDP timers. The security appliance indicates that after 34,567 seconds, it will initiate EAPoUDP revalidation for this host. It also displays a Healthy system posture token associated for that host.

Example 7-42   Displaying EOU Session Details for a Specific Host

CiscoASA# show vpn-sessiondb detail index 1Session Type: Remote DetailedUsername   : ciscouserIndex      : 1<output removed>NAC: Reval Int (T): 18000 Seconds     Reval Left(T): 17900 Seconds SQ Int (T)   : 600 Seconds       EoU Age(T)   : 100 Seconds Hold Left (T): 0 Seconds         Posture Token: Healthy Redirect URL :

Using ASDM, you can view the similar NAC session timers by navigating to Monitoring > VPN > VPN Statistics > Sessions and selecting the Details icon. Figure 7-8 illustrates this.

Figure 7-8

NAC Session Timers in ASDM

You can view a summary of all the VPN and NAC sessions on a security appliance by using the show vpn-sessiondb summary command. As shown in Example 7-43, it displays an active IPSec remote-access session. This session is an active accepted NAC session. Additionally, the security appliance displays cumulative NAC accepted and rejected sessions. This command is useful if you want to determine whether the RADIUS server is successfully assigning the appropriate posture token to the VPN client.

Example 7-43 Displaying Active VPN and NAC Sessions

CiscoASA# show vpn-sessiondb summaryActive Sessions:            Session Information: IPSec LAN-to-LAN      : 0       Peak Concurrent      : 1 IPSec Remote Access   : 1       IPSec Limit          : 750 WebVPN         : 0              WebVPN Limit         : 2 SSL VPN Client (SVC)  : 0       Cumulative Sessions  : 8 Email Proxy           : 0 Total Active Sessions : 1       Percent Session Load  : 0%                                 VPN LB Mgmt Sessions  : 0Active NAC Sessions:          Cumulative NAC Sessions: Accepted           : 1       Accepted          : 14 Rejected           : 0       Rejected          : 1 Exempted           : 0       Exempted          : 0 Non-responsive     : 0       Non-responsive    : 14 Hold-off           : 0       Hold-off          : 1 N/A                : 0       N/A               : 0


The NAC implementation on the Cisco security appliances provides a complete solution to check the posture state of a VPN client. If the posture cannot be validated, the security appliance applies appropriate ACLs to filter traffic. This chapter discussed the packet flow in a security appliance when NAC is enabled and then provided detailed configuration steps. This chapter provided guidance on how to monitor the remote-access VPN tunnels. For troubleshooting purposes, this chapter discussed various debug and log messages to help you isolate the issues related to remote-access tunnels and NAC.

Review Questions

You can find the answers to the review questions in Appendix A, "Answers to Review Questions."

  1. The default value for the revalidation timer on a security appliance is ________.

    1. 1,800 seconds

    2. 18,000 seconds

    3. 180,000 seconds

    4. None of the above

  2. NAC exception polices can be set up under which of the following locations? (Multiple answers)

    1. Default group policies

    2. User group policies

    3. User policies

    4. Tunnel policies

  3. True or false: A VPN tunnel is considered clientless if it does not report any software version information.

  4. True or false: The NAC exception policies are configured under the tunnel group subconfiguration mode.

  5. True or false: The NAC session's database cannot be statefully replicated to a standby appliance.

  6. Mode-config attributes are configured under________.

    1. User policy

    2. Default user-group

    3. User group-policy

    4. All of the above

  7. True or false: Specifying a RADIUS server under tunnel-group is a mandatory step.

  8. True or false: The IPSec tunnel is torn down if the VPN client does not respond to an EAPoUDP request packet.

  9. True or false: The NAC exemption list must be applied on a per-group basis.

  10. True or false: Clientless authentication is used for machines that do not have CTA installed.

Copyright © 2007 Pearson Education. All rights reserved.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)