VPN client and Cisco ACS

Similar Messages

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Cisco ASA 5505, Cisco VPN Client and Novell Netware

  Hi,
  Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
  I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
  When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
  The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

  If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

• Boot camp with Cisco VPN client and smart card

  Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
  Thanks

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit

  Hi there
  I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
  I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
  Could anyone help me?
  Thanks to all.

  You can try to update Deterministic Network Enhancer to the below listed release which supports
  WWAN Drivers.
  http://www.citrix.com/lang/English/lp/lp_1680845.asp.
  DNE now supports WWAN devices in Win7.  Before downloading the latest version of DNEUpdate from the links below,  be sure you have the latest
  drivers for your network adapters by downloading them from the vendors’ websites.
  For 64-bit: ftp://files.citrix.com/dneupdate64.msi
  Hope that helps.

• How to configure full tunnel with VPN client and router?

  I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

  I think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

• RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

  For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
  This is mostly a question, and partly "in use" observations.
  Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
  If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
  Summary of VPN modes I've gotten to work with an RV220W:
  Client
  Split Tunnel Works?
  Full Tunnel Works?
  OS?
  Notes
  SSL VPN
  Yes
  Yes
  Win7/64
  IE10 or IE11
  QuickVPN
  Yes
  No
  Win7/64
  IPSec VPN
  Yes
  No
  Win7/64
  Shrew Soft VPN Client

  I have to mark this as not a correct answer.
  Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
  To Michal Bruncko who posted this:
  1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
  2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

• VPN client to CISCO 857

  Hello,
  I would like to know if CISCO 857 allows remote software Cisco VPN clients aside from site to site VPN. I heard that all VPN cisco cable devices allow cisco VPN client software connections, is that true?
  Thanks a lot for your help
  Juan Manuel

  Juan,
  Allow me to explain a bit further to clarify some of the terminologies used which might cause confusion.
  Cisco VPN router can terminate the following types of tunnels.
  a. Lan to Lan tunnels
  b. Dynamic Lan to Lan tunnels
  c. VPN clients terminations
  d. Easy VPN clients terminations
  a & b, are very similar
  c & d, are very similar
  except - option c uses the VPN clients (software) installed on the PC or a MAC systems
  Option d, uses hardware to connect to the IOS routers. You can use a Cisco Router or a PIX firewall or a 3002 or ASA to connect to the Cisco router which would be acting as an IOS Easy VPN server. And the device connecting to the Easy VPN server is called as a Easy VPN client.
  Hope this explains the terminologies a bit more in detail.
  To answer your question, Security Feature does allow support for Easy VPN client and server.
  And what you are trying to accomplish is option c. So, the security feature option should work out well for you.
  Hope this explains your queries.
  Rate this post, if it helps!!
  Thanks
  Gilbert

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

  This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

  Hi Guys
  I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
  I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
  However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
  When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
  Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
  My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
  Also want to be able to set logging to debug mode for the Racoon application on mac clients.
  Your help is much appreciated
  Kind Regards
  Mohamed

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• I cannot route to remote subnets from cisco vpn client and pptp client

  Hi guys,
  I've a big problem, I configured a 877 cisco router as a cisco vpn server (the customer use it to connect to his network from pc) and a pptp vpn server (he use it to connet to the network from a smartphone).
  In this router I created 2 vlan, one for wired network (192.168.10.0/24) and the second one (10.0.0.0/24) for wireless clients and I use fastethernet 3 port to connect these to the router.
  this is the issue, when the customer try to connect to a wireless network from both of vpn clients he cannot do this, but if he try to connect to a wired network client all working fine.
  following the addresses taken from the router.
  - encrypted vpn client -
  ip address. 192.168.10.20
  netmask 255.255.255.0
  Default Gateway. none (blank)
  - pptp vpn client -
  ip address. 192.168.10.21
  netmask. 255.255.255.255
  Default Gateway. 192.168.10.21
  Is possible that I cannot reach the remote subnet because the clients doesn't receive a gateway (in the first case) or receive the wrong subnet/gateway (in the second one)..?
  There is anyone can help me..?
  Thank you very much.
  Many Kisses and Kindly Regards..
  Ilaria

  The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).
  The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.
  The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.
  The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.
  Here's the format of the command:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

• Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

  Hi Community.
  I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
  I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
  VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
  The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
  I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
  My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
  I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
  What do you think?

  Hi,
  Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
  This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
  - Jouni