RADIUS dictionary for VPN 30XX Concentrator.

Similar Messages

• Confirm Upgrading Software for VPN 3060E Concentrator

  Maybe I have the steps wrong, but my upgrade didn't work. See below to confirm my instructions to upgrade VPN 3060E concentrator
  UPGRADING SOFTWARE.FOR VPN CONCENTRATOR
  1. Go to Administration/Software Update/Concentrator
  2. You will see the current software revision, below that you will see the current image file.
  3. Enter the complete pathname of the new image or click Browse to search for the file. File must be accessible by the workstation you are using to manage the VPN Concentrator.
  4. Once you have the pathname of the new image entered, click the upload button.
  5. You will see the Software Update Progress window appear.
  6. Continue to wait until the update progress window completes and says that update was a success or you can stop the file transfer that is progress by clicking cancel.
  7. After the update, the manager returns to the Administration screen where you may see a message that a file upload is in progress. Click the highlighted link to stop it and clear the message. The manager will also verify the new software.
  8. A reboot of the concentrator is needed once the update is complete.
  9. To reboot the concentrator go to Administration/System Reboot. In the action field select reboot. In the Configuration field, choose to reboot without saving the active configuration. In the When to Reboot/Shutdown section, choose Now.
  10. The Software Update Error Screen will appear if there was a problem with the upgrade.

  Hi,
  Yes, you pretty much summarized what needs to be done in order to upgrade the VPN3000.
  So, what is the error that you got while upgrading. Also, when you download the image from cisco.com, make sure that the file size matches.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a00800bd91f.html
  Regards,
  Arul

• ACS 4.2 Windows Radius Attributes for VPN-dial-in

  Hello,
  this Situation:
  Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
  the Problem:
  the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
  On the ASA-Log I can see a Message:
  %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
  I've assigned following Attibutes:
  IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
  IETF Radius Attributes:
  006 Service Type: Framed
  007 Framed Protocol: ppp
  009 Framed-IP-Netmask: 255.255.255.255
  (not sure about) 022 Framed-Route: 0.0.0.0
  025 Class: <Group-Policy of ASA>
  does anyone of you know, what I'm making wrong?
  on The ASA I can't find any settings.
  Thanks for any advice

  O'Brien Simon
  Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
  Many thanks
  florrieford

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to get the traffic split up in VPN 3000 Concentrator?

  Hi,
  Requirement:
  I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.
  Issue:
  I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,
  <189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested
  My Question:
  Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?
  Please help me in getting this issue resolved.
  Thanks to all helping me to resolve the issue.
  Thanks.

  You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.
  The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.
  Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.
  -Shannon

• CSCui57775 - ISE 1.2 Cannot use some of the Radius Dictionary attributes

  ISE 1.2 as it's currently shipping does not allow the use of the Radius->IETF dictionary for test attributes.
  One of the things this broke was the ability to sort wireless locations by VLAN and SSID - in other words the ability to determine which AP group a session came from.  We set up some tests in our POC to use the SSID from Called-Station-ID and the VLAN tag from Tunnel-Private-Group-ID to determine the AP group.  We haven't found a good replacement even with TAC looking for one.
  Does anyone have a way of determing the AP group besides building tables of access points?

  Hi,
  Forgot to write in this thread, I did a reboot of both ISE servers and after that it works as it should.
  Not the best solution but it worked.
  Might be something with the AD connection that hang, dont realy know. But I have seen wired errors between ISE and AD before.
  Thanks

• Trying to set a delay in an Applescript for VPN connection

  I need to be able to set some routes upon opening a particular VPN connection so I did some searching and found a really simple Applescript that does the job. Problem is it tries to set the routes before the VPN actually connects so the routes don't go in.
  I added in a 10 second delay which does the trick, but I'm thinking there has to be a way to do this that waits until the VPN actually connects before continuing - so if it takes 5 seconds or 10 or whatever, it waits.
  The other thing I'm doing that I think is bad is I'm sending a route delete command before sending the add command. Why? Because if I don't and for some reason the route is partially in the table, it doesn't give an error and ends up not routing. Again, probably a better way to do this.
  Here is my current script"
  -- Connect Work VPN
  tell application "System Events"
  tell current location of network preferences
  set VPNservice to service "Work" -- name of the VPN service
  if exists VPNservice then connect VPNservice
  end tell
  end tell
  delay 10
  set gateway to "x.x.x.x" -- omitted here for security
  do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
  do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
  do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
  do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
  Any suggestions??
  Thanks.

  you might want to try asking in the Applescript forum under OS X technologies.
  I don't have any VPN connections so can't test anything but applescript dictionary for system events indicates that configuration property of a service has a boolean property "connected". so just run a loop with, say, 1 second delay until this porperty becomes true. presumably it would be something along the lines
  <pre style="
  font-family: Monaco, 'Courier New', Courier, monospace;
  font-size: 10px;
  margin: 0px;
  padding: 5px;
  border: 1px solid #000000;
  width: 720px;
  color: #000000;
  background-color: #ADD8E6;
  overflow: auto;"
  title="this text can be pasted into the Script Editor">
  tell application "System Events"
  tell current location of network preferences
  set VPNservice to service "Work" -- name of the VPN service
  if exists VPNservice then connect VPNservice
  repeat until (connected of current configuration of VPNservice)
  delay 1
  end repeat
  end tell
  end tell
  set gateway to "x.x.x.x" -- omitted here for security
  do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
  do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
  do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
  do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges</pre>

• CAS SSO not working for VPN Group

  Hello,
  I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
  Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
  The only thing I got is this from the ASA:
  AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
  AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
  I am so close but cant call this done yet....

  Hey Faisel,
  Thanks for the question.
  This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
  So on the ASA I now get these:
  AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
  AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
  Where cas_accounting2 is the AAA server group for Group A
  On the ASA I can see that the FW sends a packet to the cas:
  "send pkt cas2-hvn-3515/1813"
  but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
  "rad_vrfy() : response message verified"
  What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

• Radius accounting for QoS pppoe policy-map

  Hi folks
  I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
  The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
  From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
  the debug radius accounting :
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
  *Mar 12 05:29:00.419: RADIUS(0000000E): sending
  *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
  *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
  *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
  *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
  *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
  *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
  *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
  *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
  *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
  *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
  *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
  What I get in the freeradius log :
  Tue Mar 11 22:30:04 2014
          Acct-Session-Id = "0/0/3/0_00000005"
          Framed-Protocol = PPP
          Framed-IP-Address = 10.10.10.2
          User-Name = "olivier"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=10000000"
          Cisco-AVPair = "nas-rx-speed=10000000"
          Acct-Session-Time = 2646
          Acct-Input-Octets = 7428
          Acct-Output-Octets = 7428
          Acct-Input-Packets = 531
          Acct-Output-Packets = 531
          Acct-Authentic = RADIUS
          Acct-Status-Type = Interim-Update
          NAS-Port-Type = Virtual
          Cisco-NAS-Port = "0/0/3/0"
          NAS-Port = 50331648
          NAS-Port-Id = "0/0/3/0"
          Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
          Service-Type = Framed-User
          NAS-IP-Address = 192.168.38.133
          X-Ascend-Session-Svr-Key = "7982EA80"
          Acct-Delay-Time = 0
          Acct-Unique-Session-Id = "523eac6ae326a778"
          Timestamp = 1394602204
          Request-Authenticator = Verified
  user config in the users file on the freeradius server :
  olivier Cleartext-Password := "olivier"
          Service-Type = Framed-User,
          Cisco-AVPair += "ip:addr-pool=pppoepool",
          Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
  I see that the policy map name is pulled correctly from the radius server and applied to the session :
  #sh policy-map session uid 14
   SSS session identifier 14 -
    Service-policy output: TEST
      Class-map: TEST (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        police:
            cir 8000 bps, bc 1500 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0 bps, exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Any input very welcome

  Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
  This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
  As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
  And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
  the AAA server will have to restarted for taking this
  changes into account.
  Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
  In NavisRadius you could associate a dictionary to a
  device adding a client-class:
  # Client-IP Client-Secret Client-Class
  10.0.0.1 secret taos-old
  And then specifying the dictionary later in client_properties for this device:
  # This file contains information about client classes # and is used to set per-client specific information.
  # TAOS Devices in OLD mode with RFC conflicts
  taos-old
  Client-Dictionary=max_dictionary
  # Other devices now, etc.
  Hope it helps

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• Radius configuration for 802.1X on Radiator

  Greetings:
  We are using Radiator 3.16 (http://www.open.com.au/radiator/) as our Radius server. Its working fine for VPN authentication.
  We're trying to use 802.1X on our wireless network. Does anyone have a Radiator config for using EAP-PEAP? We can't seem to figure the Radiator part out.
  Thanks.

  The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.Refer URL
  http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1205506

• Mac OS X Server 10.5 Radius authentication for non airport devices

  We have an Astaro Security Gateway 220 that we are planning to use for VPN and other services, we would like to use our Xserve to do authentication for our VPN like we already do for our other services on the device. To do so requires that we use Radius as the communication protocol between the server and the gateway, it works just fine to test authenticate as long as I don't set a Nas-Identifier for the test but as soon as I do it fails. The Nas-Identifiers are used to determine which services the account has access to and are named logically for that, things like http, pptp, etc. are used. I can't figure out how to get the gateway to be able to authenticate users, I don't need to be able to limit based on user which services they can access, any service that has a restricted set of users other than just valid users will be handled separately outside this system. If anyone can give me any good ideas on how to solve this it would be appreciated, we currently are only looking at radius fore this, while we use airports for our wireless we don't link them into the server currently though there is a slight chance it will happen in the future.
  Thanks,
  Glenn McGurrin

  I found the problem. When turning off ClamAv virus scanning and Spam filtering everything runs fine again. So now we only have to repair those functions...

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.

• Using ISE to assign ACL's for VPN users

  Hi,
  I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
  Does anyone know of a good document or training video knocking about that I can use?
  Thanks
  Jason

  Jason,
  If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
  If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Radius Dictionary file conversion from free radius/steelbelt to cisco acs

  Does anyone have a tool or have experience converting a free radius dictionary file to cisco acs radius format.

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested