Fixed ip for vpn user- aaa authenticated

Hi all,
i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

with local aaa authentication
go to the user atributes
like username vpnuser attributes
vpn-framed-ip-address 192.168.50.1 255.255.255.255
this will give that ip to that user
if u are useing cisco ACS
under the user setting
go to :
Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
and the following link give step-by step intstruction to configure cisco ACS AAA
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
good luck
please, if helpful Rate

Similar Messages

  • Error Message For BISystemUser: User not authenticated

    We have migrated from DEV to PROD env.(11.1.1.1 -> 11.1.1.3). Along problems with bipublisher - there are some strange thingths: we successfully loging using weblogic account into AdminConsole и Enterprise Manager, but in Answers we get an error: invalid username or password.
    nqserver.log:
    ...[ERROR:1] [] [] ... [tid: 1090] Error Message For BISystemUser: User not authenticated.
    ...[ERROR:1] [] [] ... [tid: 1090] [nQSError: 43126] Authentication failed: invalid user/password.
    In oracle support we found such issue (Doc ID 1308389.1):
    OBIEE 11g Error: "Unable to Sign in. invalid username or password was entered" After Changing Repository, Deleting BISystem User, Adding it Back (Doc ID 1308389.1)
    Applies to: Business Intelligence Server Enterprise Edition - Version: 11.1.1.3.0 [1905] to 11.1.1.5.0 [1308] - Release: 11g to 11g
    Symptoms: In OBIEE 11.1.1.3.0 using default authenticator, it is not possible to log in to OBIEE after changing repository. To troubleshoot, BIsystemuser was removed from global roles and added back again.
    Getting error: Unable to Sign in. invalid username or password was entered
    Changes: Changed repository, deleted BISystemuser, added the user back
    Cause: Several changes e.g changing rpd, deleting bisystem user, adding the user back etc. occurred in the environment and caused log in to OBIEE to stop working
    Solution: After a lot of troubleshooting e.g re-starting system in the correct order, refreshing GUIDs, re-start OBIEE with default SampleAppLite.rpd and web catalog, the error persists. The system was uninstalled and re-installed to avoid further corruption and configuration problems in the new installation. This resolved the problem
    Does we have to 'reinstall or make a lot of troubleshooting e.g re-starting system ' to solve this error?
    It seem to be funny for PROD environment. How we cam resolve this problem?

    Are you saying you upgraded both dev and prod from 11.1.1.1 to 11.1.1.3 or that you migrated a dev 11.1.1.1 to a prod 11.1.1.3? What did you migrate?
    At a rough guess the BISystemUser password is different in dev and prod (created by system on install) and in your 'migration' you've moved the dev credential across to prod.
    If that's the case you need to change the bisystemuser password to something known and update the credential store password.
    Another possibility might just be that you need to regenerate the GUIDs:
    http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#BIESC721

  • Using ISE to assign ACL's for VPN users

    Hi,
    I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
    Does anyone know of a good document or training video knocking about that I can use?
    Thanks
    Jason

    Jason,
    If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
    If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • DP selection for VPN users and VPN boundaries

    Hi
    I have a scenario wherein we have 500 users across UK who will connect via VPN, the client has 350 sites with main 25 locations with minimum users (>20) and rest of the sites have less than 10 users.. may one or 2 or 5.. for no DP are placed. aprt from
    500 all will be on LAN.
    DP is only for sites > 20 users...
    so my concern is how do the users who will be on vpn have to be configured for DP to download the content,
    if a user moves from one location to other location lets say from London to Manchester how will this user on VPN will be able to select the DP if he is configured to select DP in London.?
    Do advise how to configure the DP for VPN user who move from location to location. How will they select the DP.
    we do have the IPrange for VPN users , but how to map it to DP. if I map London DP to a user and then if he is in Manchester the user will all way pull the content across WAN..  how to make the user to auto connect to local DP(Manchester) if on VPN.
    Thanks

    if I map London DP to a user and then if he is in Manchester the user will all way pull the content across WAN..  how to make the user to auto connect to local DP(Manchester) if on VPN.
    You don't map users to DPs and DP communication is dynamic and not persistent in any way. Thus, *every time* that a client requests content it submits its current IP and is given DPs to download the content from based on this IP and the configured boundaries.
    Thus, as long as your "locations" have different IP ranges, there's nothing special to do.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • L2TP and fixed Framed IP Address for VPN user

    Hi,
    I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
    The radius server is returning the correct parameters, I think.
    I hope someone can help me.
    It´s a Cisco 892 Integrated Service Router.
    Router Config:
    =============================================================
    Current configuration : 8239 bytes
    ! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    service internal
    hostname vpngw2
    boot-start-marker
    boot config usbflash0:CVO-BOOT.CFG
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 secret
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication login userauthen local group radius
    aaa authentication ppp default group radius local
    aaa authorization exec default local
    aaa authorization network groupauthor local
    aaa accounting delay-start
    aaa accounting update newinfo
    aaa accounting exec default
    action-type start-stop
    group radius
    aaa accounting network default
    action-type start-stop
    group radius
    aaa accounting resource default
    action-type start-stop
    group radius
    aaa session-id common
    clock timezone CET 1 0
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip domain name aspect-online.de
    ip name-server 10.28.1.31
    ip inspect WAAS flush-timeout 10
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip cef
    no ipv6 cef
    virtual-profile if-needed
    multilink bundle-name authenticated
    async-bootp dns-server 10.28.1.31
    async-bootp nbns-server 10.28.1.31
    vpdn enable
    vpdn authen-before-forward
    vpdn authorize directed-request
    vpdn-group L2TP
    ! Default L2TP VPDN group
    accept-dialin
      protocol l2tp
      virtual-template 1
    no l2tp tunnel authentication
    license udi pid -K9 sn FCZ
    username root password 7 secret
    ip ssh source-interface FastEthernet8
    ip ssh version 2
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key mykey address 0.0.0.0         no-xauth
    crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
    mode transport
    crypto dynamic-map config-map-l2tp 10
    set nat demux
    set transform-set configl2tp
    crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    spanning-tree portfast
    <snip>
    interface FastEthernet7
    no ip address
    spanning-tree portfast
    interface FastEthernet8
    ip address 10.28.1.97 255.255.255.0
    ip access-group vpn_to_lan out
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0
    ip access-group vpn_to_inet_lan in
    ip nat inside
    ip virtual-reassembly in
    peer default ip address pool l2tpvpnpool
    ppp encrypt mppe 128
    ppp authentication chap
    interface GigabitEthernet0
    description WAN Port
    ip address x.x.x.39 255.255.255.0
    ip access-group from_inet in
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map vpnl2tp
    interface Vlan1
    no ip address
    shutdown
    ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
    ip local pool remotepool 192.168.252.240 192.168.252.243
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat log translations syslog
    ip nat inside source route-map natmap interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 x.x.x.33
    ip access-list extended from_inet
    <snip>
    ip access-list extended nat_clients
    permit ip 192.168.252.0 0.0.0.255 any
    ip access-list extended vpn_to_inet_lan
    <snip>
    ip access-list extended vpn_to_lan
    <snip>
    deny   ip any any log-input
    logging trap debugging
    logging facility local2
    logging 10.28.1.42
    no cdp run
    route-map natmap permit 10
    match ip address nat_clients
    radius-server attribute 8 include-in-access-req
    radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
    radius-server key 7 mykey
    radius-server vsa send accounting
    radius-server vsa send authentication
    control-plane
    mgcp profile default
    banner login ^C
    Hostname: vpngw2
    Model: Cisco 892 Integrated Service Router
    Description: L2TP/IPsec VPN Gateway with Radius Auth
    ^C
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    =============================================================
    User Config in Radius (tying multiple attributes):
    =============================================================
    Attribute          | op | Value
    Service-Type       | =  | Framed-User
    Cisco-AVPair       | =  | vpdn:ip-addresses=192.168.252.220
    Framed-IP-Address  | := | 192.168.252.221
    Cisco-AVPair       | =  | ip:addr-pool=remotepool
    =============================================================
    Debug Log from freeradius2:
    =============================================================
    rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
            Framed-Protocol = PPP
            User-Name = "me1"
            CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
    # Executing section authorize from file /etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [chap] Setting 'Auth-Type := CHAP'
    ++[chap] returns ok
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry DEFAULT at line 172
    ++[files] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    rlm_sql (sql): Reserving sql socket id: 4
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
    [sql] User found in radcheck table
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
    [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
    rlm_sql (sql): Released sql socket id: 4
    ++[sql] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = CHAP
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group CHAP {...}
    [chap] login attempt by "me1" with CHAP password
    [chap] Using clear text password "test" for user me1 authentication.
    [chap] chap user me1 authenticated succesfully
    ++[chap] returns ok
    Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
    # Executing section post-auth from file /etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 7 to 10.28.1.97 port 1645
            Framed-Protocol = PPP
            Framed-Compression = Van-Jacobson-TCP-IP
            Framed-IP-Address := 192.168.252.221
            Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
            Service-Type = Framed-User
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            User-Name = "me1"
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Acct-Authentic = RADIUS
            Acct-Status-Type = Start
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:07 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
    rlm_sql (sql): Reserving sql socket id: 3
    rlm_sql (sql): Released sql socket id: 3
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
    Finished request 1.
    Cleaning up request 1 ID 19 with timestamp +53
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
            User-Name = "me1"
            Acct-Authentic = RADIUS
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Cisco-AVPair = "nas-tx-speed=100000000"
            Cisco-AVPair = "nas-rx-speed=100000000"
            Acct-Session-Time = 5
            Acct-Input-Octets = 5980
            Acct-Output-Octets = 120
            Acct-Input-Packets = 47
            Acct-Output-Packets = 11
            Acct-Terminate-Cause = User-Request
            Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
            Acct-Status-Type = Stop
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:12 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Input-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Input-Octets} -> 5980
    [sql]   expand: %{Acct-Output-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Output-Octets} -> 120
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
    rlm_sql (sql): Reserving sql socket id: 2
    rlm_sql (sql): Released sql socket id: 2
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
    Finished request 2.
    Cleaning up request 2 ID 20 with timestamp +58
    Going to the next request
    Waking up in 0.1 seconds.
    Cleaning up request 0 ID 7 with timestamp +53
    Ready to process requests.
    =============================================================
    Log From Cisco Router:
    =============================================================
    Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
    Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
    Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
    Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
    Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS:  authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
    Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS:  CHAP-Password       [3]   19  *
    Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
    Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS:  authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
    Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
    Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.221
    Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS:  Vendor, Cisco       [26]  41
    Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35  "vpdn:ip-addresses=192.168.252.220"
    Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
    Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
    Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS:  authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
    Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
    Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS:  authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
    Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
    Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
    Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS:  authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
    Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
    Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  59
    Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53  "ppp-disconnect-cause=Received LCP TERMREQ from peer"
    Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-tx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-rx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Time   [46]  6   5
    Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Octets   [42]  6   5980
    Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Octets  [43]  6   120
    Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Packets  [47]  6   47
    Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Packets [48]  6   11
    Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
    Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  39
    Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=PPP Receive Term"
    Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
    Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS:  authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
    Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
    Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
    =============================================================

    I found the failure.
    In the cisco config it must be
    aaa authorization network default group radius local
    not
    aaa authorization network groupauthor local

  • NAC VL3 in-band for VPN users Setup

    We have the setup configured as per Sample in-band for VPN clients configured.
    Currently all our clients authenticating successfully, however when they open their IE, they don't get a NAC Agent page?
    What are some of the places where I should start to look into for troubleshooting??
    Thank you,
    Dev

    Multi-hop L3 support for in-band (wired) deployments enables administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.
    Make sure the below compatibility.
    ActiveX/Java Applet and Browser Compatibility
    • ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.
    • IE 7.0 Beta is not supported when the Clean Access Agent is installed. For the Agent to login and perform other operations, users must uninstall IE 7.0 Beta 2.
    • Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and Internet Explorer on Windows XP, Windows 2000, Mac OS X, and Linux operating systems.
    • Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X.
    For further information click this link.
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/411/cas411/s_L3oob.html

  • Use Cisco ACS to verify MAC address for VPN User

    Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
    For example:
    User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)

    Hi Pete,
    I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
    I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
    i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
    regards,
    -amit singh

  • Best practice to install zen agent for VPN users

    Hi,
    We have users accessing the company network via VPN. I have installed a
    Middle-Tier server and am starting to roll out ZENworks agents on the
    remote user's notebook. I have been testing a few intallation settings but
    not too satisfy up to now. What I want to do is to have the users boot up
    their machines, manually log on to VPN, then ZENworks workstation manager
    will automatically logs on to the Middle-Tier server, deploy the apps and
    stay alive all the time when they are connected to VPN. Is there any tweak
    I can do on the registry to achieve that?
    Johnny

    Jared,
    When I log on to VPN, I have to right click on the ZENworks Application
    Explorer icon in the system tray and then ZENworks Middle Tier Server Login
    to log on to ZENworks. Is it possible to automate this? There is also
    another screen that asks you whether you want to stay connect on this
    session. Is there anywhere in the registry to have this screen not to show
    up but have ZENworks always connected wnen I am in VPN?
    TIA
    Johnny
    Peter
    > zennewbie,
    >
    > > What I want to do is to have the users
    > > boot up their machines, manually log on to VPN, then ZENworks workstation
    > > manager will automatically logs on to the Middle-Tier server, deploy the
    > > apps and stay alive all the time when they are connected to VPN.
    >
    > Which part is failing, the autologin, or the applications staying
    > available?
    >
    > --
    > Jared Jennings
    > Data Technique, Inc.
    > Novell Support Forums Sysop
    > http://wiki.novell.com
    >

  • Why does Firefox 31 change all PDF icons and opening in browser, require a fix using REGEDIT to fix for ALL USERS on a computer?

    The solution to use REGEDIT in the question linked below almost fixed my trouble with PDF files on over 30 computers, with several users on each computer:
    https://support.mozilla.org/en-US/questions/1013642
    But I needed to fix it for ALL users on a computer, without logging onto each account, on each computer. My fix was to logon as administrator and change the following system-global key instead:
    HKEY_LOCAL_MACHINE\Software\Classes\.pdf
    Name: Default
    Type: Reg_SZ
    Data: FirefoxHtm
    Changed the data from FirefoxHtm to AcroExch.Document.11
    I use Adobe Reader XI on Win7 Pro, 64-bit machines.
    The problem started when I ran a downloaded file to install the new version of Firefox on the computers.
    Why would Firefox require me to use REGEDIT in this manner to fix the problem?

    This only happens when you set Firefox as the default browser and Firefox thinks that there is currently no application the handles PDF files.

  • ASA does not propagate routes to VPN users

    Good afternoon
    I´m having an issue regarding the propagation of routes to VPN users that authenticate through the asa tunnel-group.
    I have a VPN-Users-Pool from where my users receive their IP address, and after authentication and the tunnel is established the idea is for the user to get to the following networks defined in the following ACL:
    access-list Inside standard permit 10.1.0.0 255.255.0.0
    access-list Inside standard permit 192.168.15.0 255.255.224.0
    Now the problem is that after the tunnel is established the only route the user receives is the default route (which is not suposed to be sent). The user does not receive the specified routes in the ACL above. He also does not receive the netmask and assumes a /8 netmask (given that the network pool from where he is receiving the IP is a class A network).
    The network routing is working as expected (when I add the static routes directly to the users PC, everything works OK). It´s just the issue of the ASA not propagating the routes as it should.
    Here are my split tunneling settings:
    group-policy DefaultRAGroup attributes
    vpn-idle-timeout 1
    vpn-tunnel-protocol l2tp-ipsec
    pfs disable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Inside
    group-policy DfltGrpPolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Inside
    Any ideas?
    I apreciate your help
    Best regards

    ajaychauhan
    Thank you for your reply. I´m sending the config bellow (I´ve cleared all info confidential such as IPs, passwords, timeout values, etc, but i think what you have bellow is enough to get a clear picture):
    ASA Version 8.2(1)
    hostname asa-xxxx
    enable password xxxxxxxxx encrypted
    passwd xxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 197.X.XX.XX 255.255.255.248
    interface GigabitEthernet0/1
    nameif vpncorp
    security-level 50
    ip address 10.X.XX.XX 255.255.255.248
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    speed 100
    duplex full
    nameif mgmt
    security-level 100
    ip address 10.x.xx.xx 255.255.255.240
    management-only
    ftp mode passive
    dns server-group DefaultDNS
    domain-name zz.df.es
    access-list Inside standard permit 10.1.0.0 255.255.0.0
    access-list Inside standard permit 192.168.15.0 255.255.224.0
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 14000
    logging buffered debugging
    logging asdm debugging
    logging facility 21
    logging host mgmt 10.xx.x.x
    logging class auth trap informational
    logging class config trap informational
    logging class ha trap informational
    logging class sys trap informational
    logging class vpdn trap informational
    logging class vpn trap informational
    mtu outside 1500
    mtu vpncorp 1500
    mtu mgmt 1500
    ip local pool VPN-01-pool 10.XX.XX.X-10.XX.XX.XX mask 255.255.252.0
    ip local pool VPN-02-pool 10.xx.xx.x-10.xx.xx.xx mask 255.255.252.0
    ip local pool VPN-USER-pool 192.168.xx.x-192.168.xx.xx mask 255.255.0.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    route outside 0.0.0.0 0.0.0.0 197.xx.xx.xx 1
    route vpncorp 10.x.x.x 255.xx.xx.xx 10.xx.xx.xx 1
    route vpncorp 10.xx.xx.xx 255.255.0.0 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.248 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.0 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
    route mgmt 10.xx.xx.xx 255.255.255.255 10.xx.xx.xx 1
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server mgmtt protocol radius
    aaa-server mgmtt (mgmt) host 10.xx.x.xx
    timeout xxx
    key xxxxxxxxxx
    authentication-port xxx
    accounting-port xxxx
    aaa-server mgmtt (mgmt) host 10.xx.xx.xx
    timeout xxx
    key xxxxxx
    authentication-port xxxx
    accounting-port xxxx
    aaa-server Users protocol radius
    accounting-mode simultaneous
    interim-accounting-update
    aaa-server Users (mgmt) host 10.xx.xx.xx
    key xxxxx
    authentication-port xxxx
    accounting-port xxxx
    aaa-server Users-2 protocol radius
    accounting-mode simultaneous
    interim-accounting-update
    aaa-server users-2 (mgmt) host 10.xx.xx.xxx
    key xxxx
    authentication-port xxx
    accounting-port xxxx
    aaa authentication ...
    aaa authentication ...
    aaa authentication ...
    aaa authorization ...
    aaa accounting ...
    aaa accounting ...
    aaa accounting ...
    snmp-server ...
    crypto ipsec transform-set ...
    crypto ipsec transform-set ...
    crypto ipsec transform-set ...
    crypto ipsec transform-set ...
    crypto ipsec transform-set ...
    crypto ipsec transform-set ...
    crypto ipsec security-association lifetime seconds xxx
    crypto ipsec security-association lifetime kilobytes xxx
    crypto dynamic-map vpn-ra-dyn_map 10 set ...
    crypto map outside_map 100 ipsec-isakmp dynamic vpn-ra-dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy ...
    authentication pre-share
    encryption xxx
    hash xxx
    group x
    lifetime xxx
    crypto isakmp policy xxx
    authentication pre-share
    encryption xxx
    hash xxx
    group x
    lifetime xxx
    telnet timeout xxx
    ssh 10.x.x.x 255.255.255.255 mgmt
    ssh timeout x
    ssh version x
    console timeout x
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    vpn-idle-timeout 1
    vpn-tunnel-protocol l2tp-ipsec
    pfs disable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Inside
    default-domain value xx.xx.es
    group-policy DefaultRAGroup_1 internal
    group-policy DefaultRAGroup_1 attributes
    vpn-idle-timeout 1
    split-tunnel-policy tunnelspecified
    username ...
    username ...
    username ...
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) Users
    accounting-server-group users
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key xxxxx
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    tunnel-group asa type remote-access
    tunnel-group asa general-attributes
    address-pool VPN-user-pool
    authentication-server-group (outside) test
    accounting-server-group test
    tunnel-group asa ipsec-attributes
    pre-shared-key xxxx
    tunnel-group asa ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group tstvpn type remote-access
    tunnel-group tstvpn general-attributes
    authentication-server-group (outside) users-2
    accounting-server-group users-2
    default-group-policy DefaultRAGroup
    tunnel-group tstvpn ipsec-attributes
    pre-shared-key xxxx
    tunnel-group tstvpn ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum xxxx
    policy-map global_policy
    class inspection_default
      inspect xxxx
      inspect ...
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:xxxxxx
    : end

  • CAS SSO not working for VPN Group

    Hello,
    I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
    Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
    The only thing I got is this from the ASA:
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
    I am so close but cant call this done yet....

    Hey Faisel,
    Thanks for the question.
    This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
    So on the ASA I now get these:
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
    Where cas_accounting2 is the AAA server group for Group A
    On the ASA I can see that the FW sends a packet to the cas:
    "send pkt cas2-hvn-3515/1813"
    but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
    "rad_vrfy() : response message verified"
    What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

  • Can I use ISE IPN without posture for VPN with Base license only?

    I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
    1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
    2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
    3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
    Thanks,
    Val Rodionov

    Val,
    There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
    If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE Profiling options for VPN clients

    I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

    Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
    I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
    I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
    Sent from Cisco Technical Support Android App

  • PIX- AAA Authentication Exclude.

    I have enabled "aaa authentication exclude" commad statement on PIX (6.3).
    This excludes the Hosts for which the Firewall doesnot prompt for authentication.
    What is the best way to add more lines into it.Do i have to remove all the commands and then all the old and new commands.I added one host in the list for exclution,but the PIX still prompts for username/password.
    aaa authentication exclude https outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv
    aaa authentication exclude http outside x.x.x.x 255.255.255.255 a.b.c.d 255.255.255.255 authserv
    aaa authentication exclude tcp/25 1.1.1.1 255.255.255.255 192.168.25.1 255.255.255.255 authserv
    aaa authentication exclude tcp/25 1.1.1.2 255.255.255.255 192.168.25.2 255.255.255.255 authserv

    Remove the old configuration.To exclude a particular source or destination from authentication, authorization, or accounting, try
    aaa authentication exclude telnet outside 172.18.124.114 255.255.255.255 99.99.99.3 255.255.255.255 AuthInbound,
    aaa authorization exclude telnet outside 172.18.124.114 255.255.255.255 99.99.99.3 255.255.255.255 AuthInbound.Refer URL
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml#exclude_command

  • VPN users Accounting : Please Help

    Hello All,
    I want account the number are users connected to network via VPN also who are they and what they are doing. I have configured local database(on router) for VPN users.
    How to do the same.Please provide any link or document to do the same.
    Abhisar.

    Hi Abhisar,
    The following link will give you details of how to configure radius on the router:
    http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/scrad.html
    You can configure the command authorization and accounting for the requirement you mentioned.
    Hope that helps.
    Regards,
    Anisha
    P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Maybe you are looking for

  • Smartform error while printing page wise.

    Hi gurus!  while printing from smartforms , if i select particular page in page selection option. its giving error - No output request open. End not possible. i have used SSF_OPEN and SFF_CLOSE functional module. No output request open. End not possi

  • Can I lock items in my Dock?

    My 4 year old daughter has a great game of dragging things out of my dock and watching the puff of smoke!!!.. great fun for her but a real pain for me! With Tiger I used Transparent dock which had a check box that allowed you to lock the items in the

  • Loaded PHP Image works on Windows but not Mac

    I have a php file that generates a string image, the php file changesheaders to jpeg and it becomes a image. In my code im loading the .php file into a mc. In all windows browsers its showing image correctly, but in Mac its coming up red. If you view

  • The dreaded Error -32

    Hey everyone, I have been googling this for the last couple of days and tried various things but nothing has helped. I have been trying to copy a large amount of data from one external HD to a brand new WD 2TB drive and I constantly get the Error -32

  • Help Understanding Deployment

    I'm new to Java EE and WebLogic and I'm trying to understand what is involved in deploying a web application. One BEA pages says this about deployment: "Deploying a Web application enables WebLogic Server to serve the components of a Web application