Anyconnect Radius Question

I have a ASA 5510 and I'm currently using it to serve my VPN client (ipsec) users. I want to be able to also use it for the AnyConnect client but limit who can use the client to connect. I'm authenticating my users using a Windows IAS server and I push down ACLs via the AV Pair attribute. Is there a way via radius or on the ASA to specify which users are allowed to use the AnyConnect client? I need to limit access to this. I wasn't able to find anything in the documentation but I may be missing something.
Thanks for the assistance.

You can use the IETF Class value (att 25) to pass along a string to the asa, using this string, you can have the ASA to place the user on a specific group-policy that matches that string and in the group-policy you can have the tunnel-protocol svc or webvpn enabled or not. When the user that should not be connecting via anyconect receives the string and the asa places the user on the group-policy that does not have that tunnel protocol enabled, the connection will never happen.

Similar Messages

  • 802.1x EAP-PEAP - Radius Question

    We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
    1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
    802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
    getting a Cisco ACS to run a simple RADIUS server which is all I need.
    Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
    and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

    Hey John,
    Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
    http://www.youtube.com/watch?v=YIxG4OEfwtY
    The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
    So yes it sounds right and you should be good.
    Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
    Thanks John!
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Urgent RADIUS question

    Hi,
    At a customer we have our WAAS appliances enabled for Radius authentication (via via to Active Directory). The authentication it self works. But when the AD password policy requests users to change credentials the AD accounts start locking-out.
    We found out that CM is pushing user accounts to the appliances. When saving the account to the CLI config the appliance, the appliance does a radius authentication request. Because CM is configured with old/expired passwords this action locks our accounts quickly (100+ appliances).
    How can we fix this? Can we configure the system not to store our old accounts and push them out to the remote appliances??
    Regards,
    Erik
    We see the following passing in the logs for every user every once in a while.
    2012 Nov 12 14:58:58 wae01-sitea config: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: username "etam" passwd 
    2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got user name #####
    2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Sending RADIUS request code 1
    2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got RADIUS response code 3
    2012 Nov 12 14:58:58 wae01-sitea perl: %WAAS-CMS-5-700001: Done with usercreation username :: "etam" process return value :: 0

    Hello,
    You're on the right track with CSM (Cisco Security Manager). CSM would fit perfectly in this role. We use it to maintain 6 ASAs and about 120 PIX firewalls. It is great for policy-based firewall administration. Compared to other CiscoWorks products, CSM is very stable and performs ideally in the situation you describe above. If you have anymore questions, let me know.
    -Mike
    http://cs-mars.blogspot.com

  • Radius Questions

    Hi everyone. Hope you all had a good new year. Bring on 2008!
    I looking into a wireless network at my school and have previously had real bad experience with wireless. The school I previously worked had wireless and I think the reason why it didnt work properly was because they weren't using Commerical access points and stuck with the home based equipment and dotted lots of these around the building. It was a nightmare to administer because you had to keep note of every IP for each AP if you needed to make a change and login to every AP if it was a global change.
    I interested in knowing more about RADIUS server setup but the content I am finding online just seems to confuse me. I have a few questions which I hope someone may be able to answer for me:
    1. Am I right in saying that if you have a RADIUS server all AP which are radius compatible can be managed from the server end. So for example if I wanted to change the SSID for the whole wireless network I could simply go onto the RADIUS server make a change there and then the server will broadcast this to all the AP's?
    2. The authentication part of radius, does this link in with Active Directory?, so if a user wanted to log onto the network they could use their AD account to authenticate and allow access to the wireless network? or does it run on a separate authentication system.
    3. Network access control (NAC) is this a CISCO proprietary thing? and can this work with a RADIUS Server.
    I appreciate any help on this. If anyone could also point me out with some good companies who may be able to provide me with a solution that would be great.
    Your help is appreciated

    #1. That would be no. The radius server is used to authenticate the users, not to manage the APs. There can be some interaction with the APs from radius in that some configuations allow you to authenticate mac addresses with radius. That way you could enter the mac once on the radius server instead of doing it on each AP though I have not bothered with that. The nice thing about radius is that when someone tries to hack your wireless, a radius server tied to AD can cause AD account lockout based on your policies, and it is easy to tell if someone is hacking your wireless by checking your radius logs.
    2. Radius can point to several external user sources including AD or you can even have user IDs on the radius server itself.
    3. NAC should be able to work with radius though I have not used it as of yet.
    To manage all of the APs centrally, you would get Cisco's LWAPP APs and a wireless controller such as a 4404. You can also add WCS to manage multiple controllers. It is pretty cool, but I find WCS kind of difficult to navigate if you are used to the autonmous APs. In any case, it does things you can not do with standalone APs.
    Randy

  • CSS3 Corner Radius question

    I know this question should be posted on a CSS3 Forum but I can’t seem to find one and thought DW users might have come across an answer.
    When the corner radius of an AP Div is defined and an image is placed inside the APD, the rectangular corners of the image are not clipped by the APD box. The image corners actually stick out beyond the rounded corners. Is there a style property that hides the image corners or clips them? I’ve tried setting the overflow to Hidden without success.

    Actually there is a way to clip images as long as you target the image and not the containing element as in
    <!DOCTYPE html>
    <head>
    <meta charset="UTF-8">
    <title>Untitled Document</title>
    <style>
    #tab1 img {
        position:absolute;
        left:92px;
        top:33px;
        width:115px;
        height:34px;
        z-index:1;
        /* border radius and drop shadows */
        border-radius: 20px 20px 0px 0px / 20px 20px 0px 0px;
        border-top-left-radius: 20px 20px;
        border-top-right-radius: 20px 20px;
        border-bottom-right-radius: 0px 0px;
        border-bottom-left-radius: 0px 0px;
        box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
        -moz-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
        -webkit-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
        font-family: Arial, Helvetica, sans-serif;
        font-size: 18px;
        color: #333333;
        border-top-width: 1px;
        border-right-width: 1px;
        border-left-width: 1px;
        border-top-style: solid;
        border-right-style: solid;
        border-bottom-style: none;
        border-left-style: solid;
        border-top-color: #000000;
        border-right-color: #000000;
        border-left-color: #000000;
    </style>
    </head>
    <body>
    <div id="tab1"><img src="Home1.png" alt="tab1" /></div>
    </body>
    </html>
    Gramps

  • Local radius question?

    Hi,
    I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
    This is my config:
    interface Loopback0
      ip address 192.168.0.1 255.255.255.255
    ip radius source-interface Loopback0
    aaa group server radius LOCAL-RADIUS
    server 192.168.0.1 auth-port 1812 acct-port 1813
    aaa authentication login default group LOCAL-RADIUS
    radius-server local
      nas 192.168.0.1 key 0 <removed>
      user mwhittle nthash 0 <removed>
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
    radius-server vsa send accounting
    Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
    Any ideas?
    Kind regards,
    Mike

    Hi,
    What kind of RADIUS client application are you using with the IOS local  RADIUS server?  Please note that this server supports *only* wireless  clients,
    and only for the LEAP and EAP-FAST EAP types, and also MAC authentication.  It does not provide support for other kinds of RADIUS clients.
    The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
    is always equal to password.
    If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • RADIUS Question

    I have never configured RADIUS or managed it, but I have done complete rollouts of TACACS.
    I know its a loaded question, but how different are the 2 with regard to management, architecture and resources? Client is using RADIUS for aaa on the network devices for management, not remote dial access.
    Im asking this question because it takes about 1 minute for me to get authenticated when I telnet to a router. After that, the authorization is quick and the router responds immediately after entering a command.
    [EDIT] By the way, all the other network devices I have tried logging onto respond quickly, the problem seems to be located to one L3 switch -- a 6509.
    [EDIT 2} I was wrong. The device I thought was authenticating me quickly had the aaa commands removed. I was using local authentication. So, the problem IS network wide.
    When I do a sh radius stats, I see:
    Auth. Acct. Both
    Number of Radius timeouts: 8 112 120
    Packets without responses: 1 14 15
    Counters are incrementing. What is this telling me?
    Thanks
    Victor

    Use this Document : Remote Authentication Dial-In User Service is a distributed client/server system that secures networks against unauthorized access.
    http://www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html

  • ACS Radius Question about Request Authenticator Field

    Hi, I did a little bit reading about Radius to understand more in deepth
    if I understand correctly the Request-Authenticator-Field in the Radius-Request Packet is just a random number and has nothing to do with the configured shared secret on AAA-Client.
    That would mean that ACS does not check the shared secret in an incoming request.
    So in case of CHAP Authentication the password in the request is not encrypted with the shared secret, ACS can successfully check the credentials from the request , though the shared secret between ACS and AAA-client does not match and will send a Radius Accept packet
    The Response-Authenticator-Field in the Radius-Accept Packet is a MD5 over (Code+ID+Length+RequestAuth+Attributes+SharedSecret)
    So if the the shared secret does not match the AAA-Client will recongize this and will not grant access.
    Is that true so far.
    I always thougth that shared secret must match, otherwise the ACS will not accept any radius-request?
    Thx
    hubert

    Hi Nicholas,
    pls see attached a packet-capture from 6 Radius-request of a AAA-Client (small Radius-Test-SW) and the answer from ACS
    1 PAP wrong key correct Password -> ACS logs failed auth
    2 PAP correct key correct Password -> ACS logs success auth
    3 CHAP wrong key correct Password -> ACS logs success auth
    4 CHAP correct key correct Password -> ACS logs success auth
    5 CHAP wrong key wrong Password -> ACS logs failed auth
    6 CHAP correct key wrong Password -> ACS logs failed auth

  • Corner radius question

    When I make a rectangle stroke with a corner radius in Illustrator and try to scale it down using shift and drag the corner radius changes. How do I keep it from doing this?

    If you don't want this to happen, you will have to do the scaling in two stages using the Direct Select tool. Highlight all the anchor points along one end and scale horizontally using the Shift key to constrain. Then do an edge in the same manner.

  • ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

    I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
    Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
    Is this possible?
    Thanks,
    Tommy

    When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
    I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
    If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
    Regards,
    Anuj

  • AnyConnect SSL-client Certificate AND AAA RADIUS

    Hi All,
    I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
    I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
    Here are some relevant log messages I'm getting:
    Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
    Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
    Certificate chain was successfully validated with warning, revocation status was not checked.
    Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
    Device completed SSL handshake with client outside:72.91.xx.xx/42501
    Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
    Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
    Relevant Config:
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    authentication-server-group RADIUS
    default-group-policy GroupPolicy1
    tunnel-group SSLClientProfile webvpn-attributes
    authentication aaa certificate
    radius-reject-message
    pre-fill-username ssl-client
    group-alias SSLClientProfile enable
    group-url https://URL enable
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    wins-server none
    dns-server value <ip1> <ip2>
    vpn-tunnel-protocol ssl-client
    default-domain value xxxxxxxx
    address-pools value VPNPOOL
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.102.242
    key *****
    aaa-server RADIUS (inside) host 192.168.240.242
    key *****
    ASA version 8.4
    What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

    PRogress....
    I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

  • IKEv2 AnyConnect and Pool allocation via RADIUS

    I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
    e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
    home                    Cleartext-Password := "cisco"
                                 Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                                 Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                                  Framed-Pool = "CUST-A-POOL"
    matt@home               Cleartext-Password := "test123"
    Group and user authorization information is then merged and cloned onto the virtual template:
    crypto ikev2 name-mangler EXTRACT-GROUP
    eap suffix delimiter @
    crypto ikev2 profile FlexVPN-IKEv2-Profile-1
    match fvrf IPSEC-FVRF
    match identity remote key-id FlexAnyConnect
    identity local dn
    authentication remote eap query-identity
    authentication local rsa-sig
    pki trustpoint cacert.org
    dpd 60 2 on-demand
    aaa authentication eap FlexVPN-AuthC-List1
    aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
    aaa authorization user eap cached
    virtual-template 1
    interface Virtual-Template1 type tunnel
    no ip address
    tunnel mode ipsec ipv4
    tunnel vrf IPSEC-FVRF
    tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
    However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
    *Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"
    However, the crypto debugs state that an IP address cannot be assigned:
    *Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
    <snip>
    Payload contents:
    AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
    If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
    Cheers,
    Matt

    Marcin,
    Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
    As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
    Cheers,
    Matt

  • A QUICK QUESTION ABOUT ANYCONNECT THIRD PARTY CA WITH OCSP RESPONDER.

    Hi guys,
    i have successfully implemented anyconnect with a third party ca server (EBJCA) and CRL for revocation checking.
    Now i want to implement OCSP instead of CRL.
    I followed this document:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml
    In this document it is mentioned that :
    Configure OCSP
    Configure OCSP Responder Certificate
    The OCSP configuration can vary dependent upon the OCSP responder       vendor. Read the manual of the vendor for more information.
    Obtain a self-generated certificate from the OCSP             responder ?
    Follow the procedures mentioned previously and install a             certificate for the OSCP server.
    Note: Make sure that revocation-check is set to none.                 OCSP checks do not need to happen on the actual OCSP server.
    1- My question is how to generate a self signed certificate from OCSP ?
    2- If we are not able to get a self signed certificate from OCSP Responder, is there any other work arround ?
    3- last why we use certificate mapping rule for OCSP certificate mentioned in the DoD's document.
    feel free to share your views.

    > does the client (e.g. clients using CAPI/CAPI2) also check the "Third-Party Root Certification Authorities" X509 store or do the Certs in this logical store also reside (get copied to) the "Third-Party Root Certification Authorities"
    X509 store
    yes. Trusted Root CAs container is an aggregated container for all trusted root CAs (for natively trusted CAs and for Root Certification Program members).
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.

  • Anyconnect IOS Radius

    Hallo,
    i hace a cisco 881 router with a Anyconnect VPN. the web interface works
    but when i enter a username i'm getting a login failt.
    looking at the Eventviewer of the NPS i can see that is is using the wrong NETWORK and CONNECT POLICY,
    it needs to use the VPN policy.
    configuration router Radius:
    aaa group server radius VPN
    server 172.16.200.10 auth-port 1645 acct-port 1646
    configuration router AnyConnect:
    webvpn gateway ANYCONNECT
    ip interface FastEthernet4 port 8080
    ssl trustpoint TP-self-signed-4264276022
    inservice
    webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
    webvpn context ANYCONNECT-CONTEXT
    title "welcome to office"
    ssl authenticate verify all
    policy group ANYCONNECT-POLICY
       functions svc-required
       svc address-pool "Pool"
       svc keep-client-installed
       svc dns-server primary 8.8.8.8
    default-group-policy ANYCONNECT-POLICY
    aaa authentication list VPN
    gateway ANYCONNECT
    inservice
    WHAT IS GOING WRONG?

    Looks like settings on your server.
    Have a look at:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configldap
    Step 2.

  • Anyconnect session accounting via radius or syslog ?

    Hi
    Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
    If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
    I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
    Many thanks for any input, St.

    What all you have configured for radius accounting on ASA?
    Can you paste the o/p of show run aaa-server and show run tunnel-group
    Basically all you need to define radius server group and call that group under tunnel-group parameters.
    !--- Configure the AAA Server group.
    ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
    ciscoasa(config-aaa-server-group)# exit
    !--- Configure the AAA Server.
    ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
    ciscoasa(config-aaa-server-host)# key secretkey
    ciscoasa(config-aaa-server-host)# exit
    !--- Configure the tunnel group to use the new AAA setup.
    ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
    ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
    Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
    In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
    Regards,
    Jatin Katyal
    - Do rate helpful posts -

Maybe you are looking for