NAC for VPN clients

Similar Messages

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• Reserved ip address for vpn client ?

  I need to find a way to have the 10.8 server vpn service   give the same ip address when a vpn client connects, is this possible?
  By default, every time a client connects, then disconnects and connects again they will get the next incremental ip address in the ip address pool set in the vpn server configuration

  If you eliminate the pool and use just one IP address, technically that should work however, only one client at a time can connect to the VPN server. Would that work for you?

• DNS permission denied for vpn clients?

  I have an x-serve setup to allow a client access remotely to a local network via VPN. I'm currently having an issue with the DNS server however, which is not allowing me to do lookups when connected via the VPN:
  client 10.0.0.130#59551: view com.apple.ServerAdmin.DNS.public: error sending response: permission denied
  The DNS server resolves perfectly fine for physical machines on the local network.

  Have you added the range of VPN-assigned addresses to the list of clients the DNS server will respond to?
  Server Admin -> (server) -> DNS -> Settings -> Accept recursive queries from the following networks
  This will have to include the VPN client address range in order for the DNS server to respond to their queries.

• What TCP/UDP ports need to be open for VPN Client version 4.8?

  What TCP/UDP ports need to be open for Cisco VPN Client version 4.8 to work?
  Thanks,

  Normally, you need the following ports and protocol :
  UDP 500
  UDP 4500
  ESP
  In case, you are using IPSec over TCP you have to open, TCP port 10000 or any other port you want to use for IPSec connections (Its configurable).
  -Kanishka

• Smaller MTU for VPN clients?

  I have a 2611 router running 12.3 and have about a dozen users connecting to my LAN via this router (only 1 - 3 at a time) When I originally was setting this up a TAC engineer suggested lowering my MTU for performance reasons - several of my connecting users are experiencing "hangs", could the MTU be the culprit? What is the syntax to change it and do I put that on the Virtual-Template or Ethernet i/f or main Serial? would this affect performance of other traffic?

  This link should help you determine where you want adjust the MTU and which option will work best for your environment.
  http://www.cisco.com/warp/public/105/pmtud_ipfrag.html

• NAC VL3 in-band for VPN users Setup

  We have the setup configured as per Sample in-band for VPN clients configured.
  Currently all our clients authenticating successfully, however when they open their IE, they don't get a NAC Agent page?
  What are some of the places where I should start to look into for troubleshooting??
  Thank you,
  Dev

  Multi-hop L3 support for in-band (wired) deployments enables administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.
  Make sure the below compatibility.
  ActiveX/Java Applet and Browser Compatibility
  • ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.
  • IE 7.0 Beta is not supported when the Clean Access Agent is installed. For the Agent to login and perform other operations, users must uninstall IE 7.0 Beta 2.
  • Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and Internet Explorer on Windows XP, Windows 2000, Mac OS X, and Linux operating systems.
  • Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X.
  For further information click this link.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/411/cas411/s_L3oob.html

• No documentation for ver. 5 VPN clients

  Hi,
  Why does it seem that there is no documentation on the Cisco site for VPN clients past version 4.6? There are release notes, but no user guides. We recently purchased an ASA, but the CD that came with it had old client versions.
  Thanks,
  - Steve

  Steve,
  Yes, are you correct. There is no new documentation for the 4.8, 4.9 and 5.0.00.0340 release other than the text release notes posted with the VPN Client.
  The reason is, other than new features to support some newer OS (Vista 32 Bit OS), etc, the configuration steps between 4.6 and 5.0 are the same. So, you should be good to go with the configuration guide from 4.6. If this is a new deployment of VPN Client, I would go through the release notes in detail and be aware of any known issues that may impact your network.
  Regards,
  Arul
  ** Please rate if it helps **

• VPN Client Tunnel Connection Pix506E

  Situation:  Trying to connect to PiX 506e for vpn client tunnel.  The tunnel shows the following when using the sho isa sa command:
  qm_idle 0 0 
  then after about 3-4 minutes the client workstaiton is receiving error:  Reason 412:  the remote peer is no longer responding
  The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
  I have enabled:  nat traversal on the pix506e and tried serveral options on the client side.
  The Pix506E also has site to site vpn tunnels that are working without any problems.
  Pix Software version:  6.3.5
  Any ideas?

  Try to connect from a different internet connection and see if you are having the same issue.
  Also, turn on the logs on the vpn client and see why it's failing.

• Windows VPN clients can't use network servers after 10.5.1 upgrade

  We have two Xserves, both formerly running 10.4.11. One is the OD master, the other a replica. The replica is also the VPN server, and is a DHCP server for the small number of IP addresses reserved for VPN clients.
  The OD master upgrade went fine. I completely reinstalled the OD replica, set the replica up again, and set up the VPN server. It supports L2TP/IPsec connections only.
  After the upgrade, Mac users running Tiger or Leopard can connect to the VPN server and connect to network services without any problems. Windows users can connect, but cannot actually USE anything on my office network. For example, if you try to connect to a web server either by fully qualified domain name or by hostname, the connection from the browser simply times out.
  In the Windows command line I can verify that I have an active connection by pinging and using the tracert command (equivalent of traceroute on UNIX). Hostname resolution works, too. But nothing happens when you try to open a web browser, which is mostly what my users need to do.
  It doesn't matter whether you're logging in with an OD user account or a local account defined solely on the VPN server. Same behavior in Windows.
  I had to take an older XServe running 10.4.11 out of our data center, move it to the office, and set it up on the same external network connection. 10.4.11 server works, 10.5.1 doesn't, from the same Windows client, set up exactly the same way.
  I've been through the hoops with Apple Enterprise support, who now tell me that Engineering kicked it back to them and told them they'd charge me $695 to get it fixed, because it's ostensibly custom configuration work. If that's true, why is Windows XP listed under L2TP/IPSec support on page 127 of the Leopard Network Services Admin guide? I don't want a custom fix, I just want it to work the way it's supposed to work. Or I want Apple to retract the claim that OS X Server is the best workgroup server solution for Macs and Windows.
  Anyone else encounter this problem or know of a fix?

  Had the same problems, started after i tried out the firewall in Leopard server.
  Seems that not all settings are reset even after turning the firewall off.
  To reset the firewall to its default setting:
  1 Disconnect the server from the Internet.
  2 Restart the server in single-user mode by holding down the Command-s keys during
  startup.
  3 Remove or rename the address groups file found at /etc/ipfilter/
  ipaddressgroups.plist.
  4 Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf.
  5 Force-flush the firewall rules by entering the following in Terminal:
  $ ipfw -f flush
  6 Edit the /etc/hostconfig file and set IPFILTER=-YES-.
  7 Complete the startup sequence in the login window by entering exit:
  The computer starts up with the default firewall rules and firewall enabled. Use Server
  Admin to refine the firewall configuration.
  8 Log in to your server’s local administrator account to confirm that the firewall is
  restored to its default configuration.
  9 Reconnect your host to the Internet.
  This solved the problem for me...

• VPN Client cannot access Internet

  I am currently using PIX 501 and VPN 3000. Everything is running fine except that VPN Client cannot access internet after they logged in via Cisco System VPN CLient. I can't any solution to this problem and is really lost. This is a very important task assign to me.
  Hope someone can help me asap.
  Thanks You

  You need to enable split tunneling. This link is for VPN client to router. The same equivalent config may apply to a PIX as well.
  http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bf8.pdf

• Access Site to Site Networks behind Cisco ASA thru VPN Client

  I have configured remote access thru asa for vpn clients to our main network. I can ping the required networks from vpn client. Internally I can ping remote network thru our sonicwall site to site vpn. I however cannot ping the remote network from the vpn client. I've added the network in the configuration on the ASA that I am trying to connect to. Any ideas what I can do so I can connect to Site B thru my vpn client connecting to Site A?
  Thanks,
  Matt

  Hello, matt0000111111.
  Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?

• RV042 VPN Client Access not able to connect two users at same time

  I have a RV042 and have set it up for VPN Client access using the QuickVPN client to connect my remote users. I discovered today that I cannot have two users connect in at the same time. Both users are in the same remote office. They can connect individually with no problem but if one is connected and the other tries connect also the second user gets a message the gateway is not responding. They are both running WinXPPRo SP3. Any help is greatly appreciated.

  Were your QuickVPN clients behind a firewall router of some sort? For multiple QuickVPN clients to be able to connect to the remote RV042 at the same time, the local firewall router must have VPN Passthrough correctly implemented. You could try using a RV042 as the firewall router for your QuickVPN clients and you should be able to maintain 2 tunnels at the same time to the remote RV042.

• Win 7 VPN Client 5.0.07 no longer works properly with Citrix DNE Update

  Since Cisco Systems VPN Client does not work properly with mobile broadband on Windows 7, we've been successfully using Citrix's DNE Update to fix this for about 6 months. All of a sudden, machines with the DNE Update stopped working properly over VPN (whether using mobile broadband or not). The only fix is to unbind the DNE Lightweight driver from your network adapters, uninstall the DNE Update and reinstall the VPN Client. However, then you cannot use an aircard with VPN as the DNE Update was the fix.
  Symptoms of the VPN issues with DNE Update:
  -web pages displaying garbled
  -internal web pages not rendering at all
  -remote connectivity not working (VNC)
  -RDP connects then crashes with data encryption errors
  The only change that I can identify on our machines and in our environment would be Windows updates, but I've been unable to identify which one might have caused the problem.
  Has anyone encountered this issue and found a fix? Does anyone know of another reliable fix for VPN Client to work with Windows 7 and aircards?
  We're looking at moving to another VPN solution but that will take time and we need a more immediate solution.
  Thanks in advance for your help.
  Tony

  Hi Prapanch
  No offence . . . .  but you need to read the complete thread before posting re:IP address & gateway
  I'm not posting head end config because the config works with XP
  There are no W7 specific parameters with ASA 8.3(2)
  Multiple W7 machines have been used to test this.
  We are looking at extracting level 15 logs from the client end - I will post if they don''t give an obvious answer.
  TAC still not able to resolve this.
  Rgds
  Barry