Posture validation of RemoteAccess VPN users

Similar Messages

• Posture validation in SOHO - Extended wireless from corporate

  Hi,
  I have a customer moving from Cisco NAC based solution to Cisco ISE.  NAC should be provided to wireless and the SOHO users(wireless).  We implemented airspace ACL on the Cisco ISE, which will push the ACL to wireless Aps(flexconnect acl) based on the posture validation. If the posture validation fails, ACL specific to a particular end point will be pushed into AP.
   However, the same airspace ACL is not working on the VPN routers(800 series). VPN routers integrated wireless solution doesn’t understand the airspace ACL av:pair and don’t think we can configure flexconnect ACLs on the SOHO routers. Do you think of anyother idea where we can enforce the ACL based on the posture validation?. Downloadable acl works on an interface. I don’t think it can be enforced on per-user basis.
  Is there any way to push the ACL? Do posture validation & remediate the end point with limited access?
  Pardon me for my gmail account. I  havnt received the BT id yet.
  Thanks,
  Ramesh

  Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.
  I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.
  Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.

• External posture validation server LanDesk vs. ACS

  Hi,
  I want you to ask wheather somebody has same problem as me and how did you solve it.
  I want to validate security of hosts with LANDesk® Security Suite 8.7 in cooperation with ACS. My problem seems to be in comunication between ACS and LanDesk validation server. Landesk server in log says that no scan has been made on the host. But when i dont forward LanDesk credentials to LanDesk and I Validate them on ACS, it works. I mean ACS can determine whether the scan has been made and with which result.
  So I think problem isn't in CTA or LanDesk host agent(when they send right credentials). It seems to be somewhere between ACS and LD server.
  Didn't you have similar problem?
  p.s. I have been imported LanDesk plugins into CTA and attributes definition file into ACS. But I am not sure if the External posture validation setup in URL field should be "http://ip.a.d.d:12576/pvs.exe" which i found in LD documentation. In google i found another URL "http://ip.a.d.d:12576/avp.exe". None of them works properly. And on LD server isn't such a file.
  Thans for help
  Daniel Sebek

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• ACS / NAC phase 2 / posture validation with symantec AV

  Hi,
  We encounter problem to implement NAC phase 2 with symantec.
  ACS is an appliance one, version 4.0
  We?ve installed the Symantec AV pair on the ACS : that?OK.
  The following softwares are installed on the client PC:
  - Cisco CTA : ctasetup-win-2.0.1.14.exe
  - Aegis SecureConnect 2KXP-4_0_4.msi
  - Symantec client security posture plug-in.msi together with the associated setup.exe
  Moreover, client PC is configured to use EAP-FAST with mschapv2.
  We?ve defined an internal posture validation on the ACS.
  The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
  When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
  The default rule is associated with another authorization component that returns the quarantine vlan.
  Problem is that we don?t manage to match on this posture.
  It?s as if the client doesn?t send the parameters.
  Logs on the ACS indicates the following:
  - message type : authen failed
  - authen failure code : posture validation failure (general)
  - eap type name : EAP-FAST
  - reason: no matched required credential types in any posture validation rule
  - cisco:PA:OS-type : OK, well retrieved (windows XP professional)
  - cisco:Host:ServicePack: OK, well retrieved (service pack 2)
  - but none of the Symantec AV could be retrieved.
  Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
  So external posture validation isn?t possible in our case.
  Only internal posture validation should work.
  But no way to retrieve Symantec information from CTA.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi.
  Please examine the following directory of client pc. Is Plugins File of Symantec installed?
  \Program Files\Common Files\PostureAgent\Plugins
  \Program Files\Common Files\PostureAgent\Plugins\Install
  Plugin Installation and Upgrade
  Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
  Plugins for Windows environments are installed in this directory:
  \Program Files\Common Files\PostureAgent\Plugins\Install
  When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
  " If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
  " If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
  " If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
  http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
  best regards,
  sahase

• Routing issue for remote vpn user and spoke

  Hi all,
  i have configure VPN (see attached file)
  before upgrading ASA from 8.3 to 8.4,  SPOKES was able to communicate between them and  also remote VPN users was able to access spoke site.
  after upgrade  ASA HUB, neither spoke-to-spoke  nor remoteuser---to---spoke cannot communicate
  here is NAT exemption configuration on ASA HUB.  only this ASA have been upgrade. nothing have been done on other site
  object network 172.17.8.0
  subnet 172.17.8.0 255.255.255.0
  object network 10.100.96.0
  subnet 10.100.96.0 255.255.240.0
  object network VPN-SUBNET
  subnet 172.20.1.0 255.255.255.0
  nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
  same-security traffic permit intra-interface
  same-security traffic permit inter-interface
  Please do you know what can be the problem ?
  thanks so much for your help

  Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
  Pls "clear xlate" after removing it and let us know how it goes.

• ASA 5505 Anyconnect VPN Users can't access Internet

  Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet.  Im looking to accomplish this without split tunneling.. Thanks

  on 8.2.5 version or lower:  Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet.  Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
  nat (outside) 1 192.168.2.0 255.255.255.0
  on 8.3 version or greater:  
  object network vpn-user-subnet
   subnet 192.168.2.0 255.255.255.0
   nat (outside,outside) dynamic interface
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Remote Access VPN Users with CX Active Authentication.

  I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
  The CX version we have is 9.3.1.1

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• Problem: More than one VPN user at a time - Airport Extreme Base Station

  Hey Folks,
  Myself and my girlfriend both have work laptop PCs. It appears that the AEBS only allows one VPN user at a time. When a new user is logging in, it will kick out the other user.
  Is there a setting on the AEBS that will allow more than one VPN user? Is it a firewall setting?
  Thanks for your help.

  It may the the firmware. 7.3.1. does seem as friendly to some VPNs as 7.2.1. where we had no problem running two VPNs. You could consider switching back to 7.2.1.
  d

• Regd : How to find Validity date for a user in central user system

  Hi Experts;
  I want to get the list of users with profile SAP_ALL  with following details like validity ,user type ,user name ,user id..
  I can get through SUIM for each individual systems.Its very difficult to login to each system ,generate the report.So I prefered to go for Central system
  But if I use central user system I have no option to find validity and user type for the system ( SUIM - > Cross system application )
  I have also tried to the table USRO2 ( which gives only the list of users in the central system )
  So is there any possible ways to find the Users with profile SAP _ALL with validity date in the central user system. So that I can easily generate it as one report instead of logging to each and every system
  Regards
  Sanjeev.S

  Hi Ruchit
  Thanks for your reply. I want to find the validity date of all users having SAP_ALL
  profile of all child system connected through central user system .So it is possible
  to do that in Centrals System by executing the report?
  If I execute that report in Central user system will it give the details of all child
  system connected to central system
  I think it will give only the result of Central system and not the child system connected to Central system.Please clarify me.
  I can execute the report by logging to each child system ,but it takes very long hours for me since there are many system in my landscape.
  Awaiting for your reply.'
  Thanks
  Sanjeev.S

• What are the best practices to migrate VPN users for Inter forest mgration?

  What are the best practices to migrate VPN users for Inter forest mgration?

  It depends on a various factors. There is no "generic" solution or best practice recommendation. Which migration tool are you planning to use?
  Quest (QMM) has a VPN migration solution/tool.
  ADMT - you can develop your own service based solution if required. I believe it was mentioned in my blog post.
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• VPN users unable to access internal network - ASA 8.3.1

  Hello,
  I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
  The Core LAN router is 1.2.3.1.
  ASA Version 8.3(1)
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 1.2.3.2 255.255.255.0
  ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0
  object network DataVLAN
  subnet 1.2.3.0 255.255.255.0
  object-group network Internal-Data
  network-object object DataVLAN
  nat (any,any) after-auto source dynamic Internal-Data Outside_INT
  route inside 1.2.0.0 255.255.0.0 1.2.3.1 1
  dynamic-access-policy-record DfltAccessPolicy
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  address-pools value anyconnect-vpn-pool
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  address-pools value anyconnect-vpn-pool
  group-policy vpn-anyconnecct-policy internal
  group-policy vpn-anyconnecct-policy attributes
  vpn-tunnel-protocol svc webvpn
  webvpn
    url-list none
    svc ask enable
  tunnel-group vpn-users type remote-access
  tunnel-group vpn-users general-attributes
  address-pool anyconnect-vpn-pool
  default-group-policy vpn-anyconnecct-policy
  tunnel-group anyconnect2 type remote-access
  tunnel-group anyconnect2 general-attributes
  address-pool anyconnect-vpn-pool
  TIA.
  Mike

  Hi Rohan,
  Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.
  I will give this a try. Thanks.
  -Mike

• L2TP and fixed Framed IP Address for VPN user

  Hi,
  I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
  The radius server is returning the correct parameters, I think.
  I hope someone can help me.
  It´s a Cisco 892 Integrated Service Router.
  Router Config:
  =============================================================
  Current configuration : 8239 bytes
  ! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  service internal
  hostname vpngw2
  boot-start-marker
  boot config usbflash0:CVO-BOOT.CFG
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 secret
  aaa new-model
  aaa authentication login default local group radius
  aaa authentication login userauthen local group radius
  aaa authentication ppp default group radius local
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa accounting delay-start
  aaa accounting update newinfo
  aaa accounting exec default
  action-type start-stop
  group radius
  aaa accounting network default
  action-type start-stop
  group radius
  aaa accounting resource default
  action-type start-stop
  group radius
  aaa session-id common
  clock timezone CET 1 0
  clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
  ip domain name aspect-online.de
  ip name-server 10.28.1.31
  ip inspect WAAS flush-timeout 10
  ip inspect name DEFAULT100 ftp
  ip inspect name DEFAULT100 h323
  ip inspect name DEFAULT100 icmp
  ip inspect name DEFAULT100 netshow
  ip inspect name DEFAULT100 rcmd
  ip inspect name DEFAULT100 realaudio
  ip inspect name DEFAULT100 rtsp
  ip inspect name DEFAULT100 esmtp
  ip inspect name DEFAULT100 sqlnet
  ip inspect name DEFAULT100 streamworks
  ip inspect name DEFAULT100 tftp
  ip inspect name DEFAULT100 tcp
  ip inspect name DEFAULT100 udp
  ip inspect name DEFAULT100 vdolive
  ip cef
  no ipv6 cef
  virtual-profile if-needed
  multilink bundle-name authenticated
  async-bootp dns-server 10.28.1.31
  async-bootp nbns-server 10.28.1.31
  vpdn enable
  vpdn authen-before-forward
  vpdn authorize directed-request
  vpdn-group L2TP
  ! Default L2TP VPDN group
  accept-dialin
    protocol l2tp
    virtual-template 1
  no l2tp tunnel authentication
  license udi pid -K9 sn FCZ
  username root password 7 secret
  ip ssh source-interface FastEthernet8
  ip ssh version 2
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp key mykey address 0.0.0.0         no-xauth
  crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
  mode transport
  crypto dynamic-map config-map-l2tp 10
  set nat demux
  set transform-set configl2tp
  crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  <snip>
  interface FastEthernet7
  no ip address
  spanning-tree portfast
  interface FastEthernet8
  ip address 10.28.1.97 255.255.255.0
  ip access-group vpn_to_lan out
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface Virtual-Template1
  ip unnumbered GigabitEthernet0
  ip access-group vpn_to_inet_lan in
  ip nat inside
  ip virtual-reassembly in
  peer default ip address pool l2tpvpnpool
  ppp encrypt mppe 128
  ppp authentication chap
  interface GigabitEthernet0
  description WAN Port
  ip address x.x.x.39 255.255.255.0
  ip access-group from_inet in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map vpnl2tp
  interface Vlan1
  no ip address
  shutdown
  ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
  ip local pool remotepool 192.168.252.240 192.168.252.243
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat log translations syslog
  ip nat inside source route-map natmap interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 x.x.x.33
  ip access-list extended from_inet
  <snip>
  ip access-list extended nat_clients
  permit ip 192.168.252.0 0.0.0.255 any
  ip access-list extended vpn_to_inet_lan
  <snip>
  ip access-list extended vpn_to_lan
  <snip>
  deny   ip any any log-input
  logging trap debugging
  logging facility local2
  logging 10.28.1.42
  no cdp run
  route-map natmap permit 10
  match ip address nat_clients
  radius-server attribute 8 include-in-access-req
  radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
  radius-server key 7 mykey
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  mgcp profile default
  banner login ^C
  Hostname: vpngw2
  Model: Cisco 892 Integrated Service Router
  Description: L2TP/IPsec VPN Gateway with Radius Auth
  ^C
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  =============================================================
  User Config in Radius (tying multiple attributes):
  =============================================================
  Attribute          | op | Value
  Service-Type       | =  | Framed-User
  Cisco-AVPair       | =  | vpdn:ip-addresses=192.168.252.220
  Framed-IP-Address  | := | 192.168.252.221
  Cisco-AVPair       | =  | ip:addr-pool=remotepool
  =============================================================
  Debug Log from freeradius2:
  =============================================================
  rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
          Framed-Protocol = PPP
          User-Name = "me1"
          CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
  # Executing section authorize from file /etc/raddb/sites-enabled/default
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [chap] Setting 'Auth-Type := CHAP'
  ++[chap] returns ok
  ++[mschap] returns noop
  ++[digest] returns noop
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  [eap] No EAP-Message, not doing EAP
  ++[eap] returns noop
  [files] users: Matched entry DEFAULT at line 172
  ++[files] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  rlm_sql (sql): Reserving sql socket id: 4
  [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
  [sql] User found in radcheck table
  [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
  [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
  rlm_sql (sql): Released sql socket id: 4
  ++[sql] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  [pap] WARNING: Auth-Type already set.  Not setting to PAP
  ++[pap] returns noop
  Found Auth-Type = CHAP
  # Executing group from file /etc/raddb/sites-enabled/default
  +- entering group CHAP {...}
  [chap] login attempt by "me1" with CHAP password
  [chap] Using clear text password "test" for user me1 authentication.
  [chap] chap user me1 authenticated succesfully
  ++[chap] returns ok
  Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
  # Executing section post-auth from file /etc/raddb/sites-enabled/default
  +- entering group post-auth {...}
  ++[exec] returns noop
  Sending Access-Accept of id 7 to 10.28.1.97 port 1645
          Framed-Protocol = PPP
          Framed-Compression = Van-Jacobson-TCP-IP
          Framed-IP-Address := 192.168.252.221
          Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
          Service-Type = Framed-User
  Finished request 0.
  Going to the next request
  Waking up in 4.9 seconds.
  rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
          Acct-Session-Id = "00000011"
          Tunnel-Type:0 = L2TP
          Tunnel-Medium-Type:0 = IPv4
          Tunnel-Server-Endpoint:0 = "x.x.x.39"
          Tunnel-Client-Endpoint:0 = "x.x.x.34"
          Tunnel-Assignment-Id:0 = "L2TP"
          Tunnel-Client-Auth-Id:0 = "me1"
          Tunnel-Server-Auth-Id:0 = "vpngw2"
          Framed-Protocol = PPP
          Framed-IP-Address = 192.168.252.9
          User-Name = "me1"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Acct-Authentic = RADIUS
          Acct-Status-Type = Start
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
          Acct-Delay-Time = 0
  # Executing section preacct from file /etc/raddb/sites-enabled/default
  +- entering group preacct {...}
  ++[preprocess] returns ok
  [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
  [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
  ++[acct_unique] returns ok
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  ++[files] returns noop
  # Executing section accounting from file /etc/raddb/sites-enabled/default
  +- entering group accounting {...}
  [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
  [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail]        expand: %t -> Fri Mar 30 11:20:07 2012
  ++[detail] returns ok
  ++[unix] returns ok
  [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
  [radutmp]       expand: %{User-Name} -> me1
  ++[radutmp] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  [sql]   expand: %{Acct-Delay-Time} -> 0
  [sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
  rlm_sql (sql): Reserving sql socket id: 3
  rlm_sql (sql): Released sql socket id: 3
  ++[sql] returns ok
  ++[exec] returns noop
  [attr_filter.accounting_response]       expand: %{User-Name} -> me1
  attr_filter: Matched entry DEFAULT at line 12
  ++[attr_filter.accounting_response] returns updated
  Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
  Finished request 1.
  Cleaning up request 1 ID 19 with timestamp +53
  Going to the next request
  Waking up in 4.9 seconds.
  rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
          Acct-Session-Id = "00000011"
          Tunnel-Type:0 = L2TP
          Tunnel-Medium-Type:0 = IPv4
          Tunnel-Server-Endpoint:0 = "x.x.x.39"
          Tunnel-Client-Endpoint:0 = "x.x.x.34"
          Tunnel-Assignment-Id:0 = "L2TP"
          Tunnel-Client-Auth-Id:0 = "me1"
          Tunnel-Server-Auth-Id:0 = "vpngw2"
          Framed-Protocol = PPP
          Framed-IP-Address = 192.168.252.9
          Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
          User-Name = "me1"
          Acct-Authentic = RADIUS
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=100000000"
          Cisco-AVPair = "nas-rx-speed=100000000"
          Acct-Session-Time = 5
          Acct-Input-Octets = 5980
          Acct-Output-Octets = 120
          Acct-Input-Packets = 47
          Acct-Output-Packets = 11
          Acct-Terminate-Cause = User-Request
          Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
          Acct-Status-Type = Stop
          Connect-Info = "100000000"
          NAS-Port-Type = Sync
          NAS-Port = 10007
          NAS-Port-Id = "Uniq-Sess-ID7"
          Service-Type = Framed-User
          NAS-IP-Address = 10.28.1.97
          Acct-Delay-Time = 0
  # Executing section preacct from file /etc/raddb/sites-enabled/default
  +- entering group preacct {...}
  ++[preprocess] returns ok
  [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
  [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
  ++[acct_unique] returns ok
  [suffix] No '@' in User-Name = "me1", looking up realm NULL
  [suffix] No such realm "NULL"
  ++[suffix] returns noop
  ++[files] returns noop
  # Executing section accounting from file /etc/raddb/sites-enabled/default
  +- entering group accounting {...}
  [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
  [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
  [detail]        expand: %t -> Fri Mar 30 11:20:12 2012
  ++[detail] returns ok
  ++[unix] returns ok
  [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
  [radutmp]       expand: %{User-Name} -> me1
  ++[radutmp] returns ok
  [sql]   expand: %{User-Name} -> me1
  [sql] sql_set_user escaped user --> 'me1'
  [sql]   expand: %{Acct-Input-Gigawords} ->
  [sql]   ... expanding second conditional
  [sql]   expand: %{Acct-Input-Octets} -> 5980
  [sql]   expand: %{Acct-Output-Gigawords} ->
  [sql]   ... expanding second conditional
  [sql]   expand: %{Acct-Output-Octets} -> 120
  [sql]   expand: %{Acct-Delay-Time} -> 0
  [sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
  rlm_sql (sql): Reserving sql socket id: 2
  rlm_sql (sql): Released sql socket id: 2
  ++[sql] returns ok
  ++[exec] returns noop
  [attr_filter.accounting_response]       expand: %{User-Name} -> me1
  attr_filter: Matched entry DEFAULT at line 12
  ++[attr_filter.accounting_response] returns updated
  Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
  Finished request 2.
  Cleaning up request 2 ID 20 with timestamp +58
  Going to the next request
  Waking up in 0.1 seconds.
  Cleaning up request 0 ID 7 with timestamp +53
  Ready to process requests.
  =============================================================
  Log From Cisco Router:
  =============================================================
  Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
  Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
  Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
  Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
  Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
  Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS:  authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
  Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS:  CHAP-Password       [3]   19  *
  Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
  Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS:  authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
  Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
  Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.221
  Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS:  Vendor, Cisco       [26]  41
  Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35  "vpdn:ip-addresses=192.168.252.220"
  Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
  Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
  Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
  Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
  Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
  Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS:  authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
  Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
  Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS:  Tunnel-Type         [64]  6   00:
  Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
  Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
  Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
  Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
  Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
  Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
  Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
  Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
  Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS:  Vendor, Cisco       [26]  35
  Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS:  Acct-Delay-Time     [41]  6   0
  Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
  Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS:  authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
  Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
  Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
  Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
  Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
  Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
  Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
  Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS:  authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
  Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
  Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS:  Tunnel-Type         [64]  6   00:
  Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
  Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
  Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
  Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
  Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
  Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
  Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
  Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
  Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  59
  Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53  "ppp-disconnect-cause=Received LCP TERMREQ from peer"
  Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS:  User-Name           [1]   5   "me1"
  Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  35
  Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
  Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-tx-speed=100000000"
  Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
  Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-rx-speed=100000000"
  Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Time   [46]  6   5
  Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Octets   [42]  6   5980
  Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Octets  [43]  6   120
  Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Packets  [47]  6   47
  Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Packets [48]  6   11
  Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
  Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  39
  Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=PPP Receive Term"
  Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
  Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS:  Connect-Info        [77]  11  "100000000"
  Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
  Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS:  NAS-Port            [5]   6   10007
  Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
  Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
  Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS:  Acct-Delay-Time     [41]  6   0
  Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
  Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
  Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
  Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS:  authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
  Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
  Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
  =============================================================

  I found the failure.
  In the cisco config it must be
  aaa authorization network default group radius local
  not
  aaa authorization network groupauthor local

• Assigning IP addresses to VPN users from Cisco ISE

  Hi all,
  I would appreciate if anyone could share his experience in assigning ip addresses (not static ones, but from a pool) to VPN users. The Radius is Cisco ISE and I am trying to configure this in the Authorization Results Tab. VPN gateway is ASA 8.4.
  Thanks in advance,
  Lora

  Hi Lora,
  Try going through the following link, might be helpful.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1252535

• Posture validation

  Dear Team,
     I have an internal Windows and Antivirus server. I want to do posture validation and want to make sure that end points
  checks the updated from the external server.
  Could you please let me know where do we define information about the internal servers in ISE?
  Minakshi

  Posture Services on the Cisco ISE Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate