Using Framed IP Address in ISE AuthZ policy

Hi,
i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
I cannot see the data type of IPv4 available when creating user attributes.
Is there a way around this?
Thanks
Mario

Which version of ISE / patch are you using
The following was fixed in ISE 1.2 patch 3
CSCuj14382 Cannot statically assign IP address as FramedAddress

Similar Messages

ISE AuthZ policy based on FlexConnect Group

Hi all,
I understand that it is possible to have the WLC send different NAS-ID attributes to the CIsco ISE so that I can create specific AuthZ policies based on that NAS-ID attribute.
The only thing is that I cannot see anywhere in the FlexConnect AP Group config that allows me to choose the format for the RADIUS request. I can only see it when adding a RADIUS server in Global Configuration.
So how can I define the attribute that is sent to the ISE?
Thanks
Mario

I don't remember there being a NAS-ID attribute for FlexConnect groups. There is one for AP Group and WLAN.

Acs 5.4.46 filter using client IP address

Hello,
Is there a way to filter RADIUS network access using client station IP?
Thanks,

Hi Jatin,
Thank you for your replay.
The calling station-id didn't worked, only the framed-ip-address.
But in framed-ip-address i can't use a subnet.
Is there anyway to use framed-ip-address wth a subnet?

AuthZ Policy using specific Endpoint Identity Groups

I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group. See policy below.
I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices. Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name. Alas, the rule is not working. Anyone have advise on what I am doing wrong? Thx

Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

ISE Authorization Policy Issues

Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel Stefani

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

L2TP and fixed Framed IP Address for VPN user

Hi,
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
I hope someone can help me.
It´s a Cisco 892 Integrated Service Router.
Router Config:
=============================================================
Current configuration : 8239 bytes
! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname vpngw2
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
logging buffered 51200 warnings
enable secret 5 secret
aaa new-model
aaa authentication login default local group radius
aaa authentication login userauthen local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
group radius
aaa accounting resource default
action-type start-stop
group radius
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name aspect-online.de
ip name-server 10.28.1.31
ip inspect WAAS flush-timeout 10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
virtual-profile if-needed
multilink bundle-name authenticated
async-bootp dns-server 10.28.1.31
async-bootp nbns-server 10.28.1.31
vpdn enable
vpdn authen-before-forward
vpdn authorize directed-request
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
license udi pid -K9 sn FCZ
username root password 7 secret
ip ssh source-interface FastEthernet8
ip ssh version 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mykey address 0.0.0.0         no-xauth
crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map config-map-l2tp 10
set nat demux
set transform-set configl2tp
crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
<snip>
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
ip access-group vpn_to_lan out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered GigabitEthernet0
ip access-group vpn_to_inet_lan in
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tpvpnpool
ppp encrypt mppe 128
ppp authentication chap
interface GigabitEthernet0
description WAN Port
ip address x.x.x.39 255.255.255.0
ip access-group from_inet in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnl2tp
interface Vlan1
no ip address
shutdown
ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
ip local pool remotepool 192.168.252.240 192.168.252.243
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat log translations syslog
ip nat inside source route-map natmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip access-list extended from_inet
<snip>
ip access-list extended nat_clients
permit ip 192.168.252.0 0.0.0.255 any
ip access-list extended vpn_to_inet_lan
<snip>
ip access-list extended vpn_to_lan
<snip>
deny   ip any any log-input
logging trap debugging
logging facility local2
logging 10.28.1.42
no cdp run
route-map natmap permit 10
match ip address nat_clients
radius-server attribute 8 include-in-access-req
radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
radius-server key 7 mykey
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
mgcp profile default
banner login ^C
Hostname: vpngw2
Model: Cisco 892 Integrated Service Router
Description: L2TP/IPsec VPN Gateway with Radius Auth
^C
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
=============================================================
User Config in Radius (tying multiple attributes):
=============================================================
Attribute          | op | Value
Service-Type       | = | Framed-User
Cisco-AVPair       | = | vpdn:ip-addresses=192.168.252.220
Framed-IP-Address | := | 192.168.252.221
Cisco-AVPair       | = | ip:addr-pool=remotepool
=============================================================
Debug Log from freeradius2:
=============================================================
rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
        Framed-Protocol = PPP
        User-Name = "me1"
        CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
        Connect-Info = "100000000"
        NAS-Port-Type = Sync
        NAS-Port = 10007
        NAS-Port-Id = "Uniq-Sess-ID7"
        Service-Type = Framed-User
        NAS-IP-Address = 10.28.1.97
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql]   expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "me1" with CHAP password
[chap] Using clear text password "test" for user me1 authentication.
[chap] chap user me1 authenticated succesfully
++[chap] returns ok
Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 10.28.1.97 port 1645
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        Framed-IP-Address := 192.168.252.221
        Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
        Service-Type = Framed-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
        Acct-Session-Id = "00000011"
        Tunnel-Type:0 = L2TP
        Tunnel-Medium-Type:0 = IPv4
        Tunnel-Server-Endpoint:0 = "x.x.x.39"
        Tunnel-Client-Endpoint:0 = "x.x.x.34"
        Tunnel-Assignment-Id:0 = "L2TP"
        Tunnel-Client-Auth-Id:0 = "me1"
        Tunnel-Server-Auth-Id:0 = "vpngw2"
        Framed-Protocol = PPP
        Framed-IP-Address = 192.168.252.9
        User-Name = "me1"
        Cisco-AVPair = "connect-progress=LAN Ses Up"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        Connect-Info = "100000000"
        NAS-Port-Type = Sync
        NAS-Port = 10007
        NAS-Port-Id = "Uniq-Sess-ID7"
        Service-Type = Framed-User
        NAS-IP-Address = 10.28.1.97
        Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail]        expand: %t -> Fri Mar 30 11:20:07 2012
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql]   expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql]   expand: %{Acct-Delay-Time} -> 0
[sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime, acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
Finished request 1.
Cleaning up request 1 ID 19 with timestamp +53
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
        Acct-Session-Id = "00000011"
        Tunnel-Type:0 = L2TP
        Tunnel-Medium-Type:0 = IPv4
        Tunnel-Server-Endpoint:0 = "x.x.x.39"
        Tunnel-Client-Endpoint:0 = "x.x.x.34"
        Tunnel-Assignment-Id:0 = "L2TP"
        Tunnel-Client-Auth-Id:0 = "me1"
        Tunnel-Server-Auth-Id:0 = "vpngw2"
        Framed-Protocol = PPP
        Framed-IP-Address = 192.168.252.9
        Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
        User-Name = "me1"
        Acct-Authentic = RADIUS
        Cisco-AVPair = "connect-progress=LAN Ses Up"
        Cisco-AVPair = "nas-tx-speed=100000000"
        Cisco-AVPair = "nas-rx-speed=100000000"
        Acct-Session-Time = 5
        Acct-Input-Octets = 5980
        Acct-Output-Octets = 120
        Acct-Input-Packets = 47
        Acct-Output-Packets = 11
        Acct-Terminate-Cause = User-Request
        Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
        Acct-Status-Type = Stop
        Connect-Info = "100000000"
        NAS-Port-Type = Sync
        NAS-Port = 10007
        NAS-Port-Id = "Uniq-Sess-ID7"
        Service-Type = Framed-User
        NAS-IP-Address = 10.28.1.97
        Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail]        expand: %t -> Fri Mar 30 11:20:12 2012
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql]   expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql]   expand: %{Acct-Input-Gigawords} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Input-Octets} -> 5980
[sql]   expand: %{Acct-Output-Gigawords} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Output-Octets} -> 120
[sql]   expand: %{Acct-Delay-Time} -> 0
[sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
Finished request 2.
Cleaning up request 2 ID 20 with timestamp +58
Going to the next request
Waking up in 0.1 seconds.
Cleaning up request 0 ID 7 with timestamp +53
Ready to process requests.
=============================================================
Log From Cisco Router:
=============================================================
Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name           [1]   5   "me1"
Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password       [3]   19 *
Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info        [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type       [61] 6   Sync                      [1]
Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port            [5]   6   10007
Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id         [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type        [6]   6   Framed                    [2]
Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address      [4]   6   10.28.1.97
Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6   VJ TCP/IP Header Compressi[1]
Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address   [8]   6   192.168.252.221
Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco       [26] 41
Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35 "vpdn:ip-addresses=192.168.252.220"
Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type        [6]   6   Framed                    [2]
Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id     [44] 10 "00000011"
Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type         [64] 6   00:
Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6   00:IPv4                   [1]
Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6   "L2TP"
Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5   "me1"
Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8   "vpngw2"
Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address   [8]   6   192.168.252.9
Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name           [1]   5   "me1"
Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco       [26] 35
Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29 "connect-progress=LAN Ses Up"
Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info        [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type       [61] 6   Sync                      [1]
Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port            [5]   6   10007
Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id         [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type        [6]   6   Framed                    [2]
Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address      [4]   6   10.28.1.97
Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time     [41] 6   0
Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id     [44] 10 "00000011"
Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type         [64] 6   00:
Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6   00:IPv4                   [1]
Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6   "L2TP"
Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5   "me1"
Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8   "vpngw2"
Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol     [7]   6   PPP                       [1]
Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address   [8]   6   192.168.252.9
Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco       [26] 59
Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"
Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name           [1]   5   "me1"
Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco       [26] 35
Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29 "connect-progress=LAN Ses Up"
Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco       [26] 30
Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24 "nas-tx-speed=100000000"
Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco       [26] 30
Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24 "nas-rx-speed=100000000"
Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time   [46] 6   5
Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets   [42] 6   5980
Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6   120
Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6   47
Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6   11
Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6   user-request              [1]
Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco       [26] 39
Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33 "disc-cause-ext=PPP Receive Term"
Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type    [40] 6   Stop                      [2]
Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info        [77] 11 "100000000"
Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type       [61] 6   Sync                      [1]
Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port            [5]   6   10007
Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id         [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type        [6]   6   Framed                    [2]
Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address      [4]   6   10.28.1.97
Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time     [41] 6   0
Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
=============================================================

I found the failure.
In the cisco config it must be
aaa authorization network default group radius local
not
aaa authorization network groupauthor local

Vpn-framed-ip-address not working with anyconnect

Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
Scenario:
ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing, BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the vpn-framed-ip-address command.
I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the vpn-framed-ip-address command as an attribute for this local user. But it seems the command is not working.
Already I´ve tried to resolve (with no success) by entering the
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local
Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection". Meaning the ASA simply is ignoring the vpn-framed-ip-address command.
Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
This is the current config:
ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
aaa-server RSA protocol sdi
aaa-server RSA (inside) host 192.168.12.1
retry-interval 5
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
group-policy GroupPolicyABC internal
group-policy GroupPolicyABC attributes
wins-server none
dns-server value 192.168.61.1 192.168.61.2
vpn-tunnel-protocol ssl-client
group-lock value TunnelGroupABC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ServersDB
default-domain value my.domain.com
split-tunnel-all-dns disable
webvpn
anyconnect ask none default anyconnect
username USER1 password xHhacRZ56Uadqoq encrypted
username USER1 attributes
vpn-framed-ip-address 192.168.229.7 255.255.255.0
group-lock value TunnelGroupABC
tunnel-group TunnelGroupABC type remote-access
tunnel-group TunnelGroupABC general-attributes
address-pool PoolSSL
authentication-server-group RSA
default-group-policy GroupPolicyABC
tunnel-group TunnelGroupABC webvpn-attributes
group-alias AccessToDB enable
I´ll wait for your answers, regards!

https://tools.cisco.com/bugsearch/bug/CSCtf71671/
you need AAA assignment, or at least you needed to have it a couple of years back.

IP address in ISE live authentication after vlan change

Hi all,
on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
session ID is the same all the time.
so maybe ip helper or other trick?
regards

thx for reply.
I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
Meanwhile I think I must clarify what I meant
Not all logs have IP address present in live authentication (this is MAB for test only)
the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
but getting back to our MAB...
details of this entry looks like:
so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
nevertheless clicking the accounting details (from the 2nd screenshot)
we see that this information is present
so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
maybe ISE should dynamically modify this record after each accounting newinfo message?
regards

AuthZ Policy "Monitor Only" mode

I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode. I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any. If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices. According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
I am currently running ISE 1.3.0.876.
Any help is appreciated

I have had the same experience. If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

ISE AuthZ for Wireless Phones MIC EAP-TLS

Hi all,
Trying to authorise 7925G phones using MIC and EAP-TLS. My problem is that I can't seem to get the username in the MIC to match against an Internal Identity group on ISE AuthZ policies. If I remove the endpoint ID group I am able to auth no worries. Everything looks great including the username been in a specific User ID group but I just cannot get it to match a policy with this group selected (both as the ID Group and as an "Internal User:Identity Group" condition).
Any ideas or is this just not possible?

Out of curiousity why would you suggest MAB in this instance? These devices have MIC certs and are pretty much EAP-TLS ready out of the box? My problem simply lies with the apparent inability of ISE to match the Subject CN againt an internal group.

ISE Authorization Policy

Hey guys,
I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."
Under the Policy > Authorization, I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing.
I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.
It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.
I attached the failed and authenticated logs that I got from ISE.
Has anyone have encoutered this issue?
The version that I have is 1.1.1
Thanks
P.S.
I went back to check my autorization condition, and it is blank (See the 1st screenshot)

Hi,
it is obvious that you are not matching any condition.
rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Problem to authenticate MAC address on ISE

Hi guys,
I have a Lab with a ISE ver 1.1.1 installed on VMWARE, a Switch 3750, a WLC 4200 and one AP registered on WLC, the WLC and AP are connected to Switch, we are testing the user authentication using a samsung tablet and it work ok. The authentication procces is using the actual AD. the issue is when I try to authenticate de device using their MAC address. I'm reading many pappers, but no one explain me the steps to do the both autentication: by user and by MAC address using the ISE.
can any one help me about the authenticacion MAC address process on ISE. the final deployment our client want to use user and device authentication.
Thank you for your attention on this matter.

Hi Tarik,
Thanks for your reply,
the port configuration of SW is it:
DEMOSW# sh run int Gi2/0/11
description Access Wireless LAN Controller
switchport trunk encapsulation dot1q
switchport mode trunk
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast
DEMOSW# sh run int Gi2/0/12
description Access Point
switchport access vlan 103
spanning-tree portfast
Our goal is that the MAC address Tablets can be authenticated using the ISE Internal Enpoints Database.
I hope you may help me about it.
Thank you for your attention on this matter.
Regards.

Vpn-framed-ip-address issue

Hi Guys,
I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
Can anyone assist me with this issue?
Regards,
Suthakar

Hi Javier,
I think I have found out a solution for this problem.
I've removed the ip vpn pool and its reference under tunnel group general-attributes
ip local pool vpn_pool x.x.x.x - x.x.x.x
tunnel-group x.x.x.x general-attributes
address-pool vpn_pool
since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
Thank you for your support.
Regards,
Suthakar

VPN pw mgmt plus framed IP address not working

I am trying to configure AAA for an SSL VPN (ASA, 8.x) to support both password management and a framed IP address. Authentication server is AD.
I can get the pw mgmt to work when using LDAP authentication against AD, and I can get the framed IP address to work with IAS (RADIUS on AD). But, I cannot get both to work at the same time with either method.
Any help appreciated.

The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the security appliance searches each of the options until it finds an IP address. By default, all methods are enabled. The following URL will help you
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/vpnadd.html
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/svc.html

Framed-IP-Address in Start Accounting message

We have a 5400 plataform configured with Radius Accounting and I am seeing that the attribute 8 (Framed-IP-Address) appears only in the Stop message.
The cuestions is...how i can to do that the attribute 8 will be included in the Start message too?
Regards
CONFIGURATION
ip radius source-interface GigabitEthernet0/0.63
aaa new-model
radius-server host 200.49.193.225 auth-port 1812 acct-port 1813
radius-server key cisco1
aaa group server radius RADIUS-VLZ1
server 200.49.193.225
aaa dnis map enable
aaa dnis map 1151307063 authentication ppp group RADIUS-VLZ1
aaa dnis map 1151307063 accounting network start-stop group RADIUS-VLZ1
aaa authentication login default group RADIUS-VLZ1 local
no aaa authentication ppp default local
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec default start-stop group RADIUS-VLZ1
aaa accounting network default start-stop group RADIUS-VLZ1
radius-server attribute 8 inc
DEBUG RADIUS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
*Jul 15 16:56:32.856: RADIUS: Acct-Session-Id     [44] 10 "00000192"
*Jul 15 16:56:32.856: RADIUS: User-Name           [1]   9   "italtel"
*Jul 15 16:56:32.856: RADIUS: Acct-Authentic      [45] 6   RADIUS
        [1]
*Jul 15 16:56:32.856: RADIUS: Acct-Status-Type    [40] 6   Start
        [1]
*Jul 15 16:56:32.856: RADIUS: Calling-Station-Id [31] 12 "1147876876"
*Jul 15 16:56:32.856: RADIUS: Called-Station-Id   [30] 14 "541151307063"
*Jul 15 16:56:32.856: RADIUS: NAS-Port            [5]   6   544
*Jul 15 16:56:32.856: RADIUS: NAS-Port-Id         [87] 9   "tty4/04"
*Jul 15 16:56:32.856: RADIUS: NAS-Port-Type       [61] 6   Async
        [0]
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
*Jul 15 16:55:23.508: RADIUS: Framed-IP-Address   [8]   6   10.82.94.11
*Jul 15 16:55:23.508: RADIUS: User-Name           [1]   6   "pepe"
*Jul 15 16:55:23.508: RADIUS: Acct-Authentic      [45] 6   RADIUS
        [1]
*Jul 15 16:55:23.508: RADIUS: Acct-Session-Time   [46] 6   15
*Jul 15 16:55:23.508: RADIUS: Acct-Input-Octets   [42] 6   3613
*Jul 15 16:55:23.508: RADIUS: Acct-Output-Octets [43] 6   118
*Jul 15 16:55:23.508: RADIUS: Acct-Input-Packets [47] 6   55
*Jul 15 16:55:23.508: RADIUS: Acct-Output-Packets [48] 6   7
*Jul 15 16:55:23.508: RADIUS: Acct-Terminate-Cause[49] 6   user-request
        [1]
*Jul 15 16:55:23.508: RADIUS: Acct-Status-Type    [40] 6   Stop

Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts

Using Framed IP Address in ISE AuthZ policy

Similar Messages

Maybe you are looking for