Data capture ASA VPN

Hello

We have an asa 5585 on the network and it is configured for remote access VPN with RSA.

When a VPN user connects to their VPN, he is invited for a PIN followed their secure ID token code.

We want to simplify our VPN configuration if we starting from a perspective of support and management, users use a hard chips. Currently, many lose their chips or have a connection problem, so I would like to know what simple VPN solution, we have in place.

Then is it possible on the ASA when I check my VPN traffic to determine what users are using the VPN for, since the purpose is if they only use it for email, so we can advise them to use webmail rather and can disable VPN access.

With respect to the VPN, I see only two options; you either empty tokens to make life easier or you keep them and put up with it.

Tags: Cisco Security

Similar Questions

ASA VPN with Fortgate

Hello people!

I still have the problem with VPN... Laughing out loud

I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

But if I ask the other peer to change in Group 2, the msg in the SAA is:

[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
[IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

The show isakmp his:

9 counterpart IKE: 179.124.32.181
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3

I have delete and creat VPN 3 x and the same error occurs.

Everyone has seen this kind of problem?

Is it using Fortigate version 5 by chance?

I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

Try on the side of the ASA:
```
debug crypto isakmp 7
```
You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

ASA VPN - allow user based on LDAP Group

Hello friends

I have create a configuration to allow connection based on LDAP Group.

I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Anyone know how I can do?

Thank you

Marcio

I like to use the Protocol DAP (dynamic access policies) to control this. Follow this guide:

https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

Assign the static IP address by ISE, ASA VPN clients

We will integrate the remote access ASA VPN service with a new 1.2 ISE.

Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

This means that the same VPN user will always get the same IP address. Thank you.

Daniel,

You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

However if I may make a suggestion:

Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

M.

Device behind a Firewall other, ASA VPN

I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet. Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

Topology:

Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN. Inside = 192.168.254.1 outside = public IP address.

Configured on the VPN / ASA, ASA standard SSL Remote Access.

When I hit the NAT public IP address, nothing happens. I've run packet - trace on the FW outside, and everything seems good.

Someone at - it a sampling plan / config for a similar topology? Internet > ASA/FW > dmz-leg > ASA/VPN

Thanks in advance,
Bob

Can share you your NAT and routing configuration? Of these two ASAs

ASDM conc (ASA) VPN access

I have the script like this:

an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

This sets up on the conc VPN:
```
management-access inside
After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
hth

    Herbert

    (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )
```

ASA VPN positive = SSL VPN?

Hello

I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750

Can I use an ASA5520 with ASA5500-SSL-750 instead

Regards Tony

Yes, it is always available on order. Part number: ASA5520-VPN-PL =

In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.

Thank you

Kiran

New ASA/VPN configuration

So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

All I want this new ASA to do is handle my site anyconnect VPN connections. I'm pretty new to ASAs if any help would be great. I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN? ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

Thank you

I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

ASA VPN on physical IP address only?

Hello

Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?

I don't want to use the physical IP address on my external interface.

Thank you

No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.

ASA Vpn load balancing and failover

Hi all.

We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

Thank you

Daniele

Hi Daniele,

You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

ASA1 (active FO) - ASA2 (TF Standby)

(VPN virtual master)

|

|

|

|

(Backup VPN device)

ASA3 (active FO) - ASA4 (TF Standby)

Kind regards

Wajih

How Golden Gate will use change data Capture (CDC) in SQLserver2008R2
How Golden Gate will use change data Capture (CDC) in SQL server 2008 R2. How much space it will occupy for each table when it erases the data and what will be the retention period for the tables of the CDC.
So, here's what happens next. Normally, when a tranlog backup occurs, SQL Server may decide to release the tranlog space after the backup of the log, for transactions that have been committed and saved.

When you activate a form any replication, like with OGG and allowing TRANDATA, you need to eat this truncation periodically. So with your configuration, even if the log backup occurs over 15 minutes, data in the journal are not allowed to be released after the log backup until the log backup that occurs after the 4th consecutive time of work.

It is fine if you are not concerned about the lack of free newspaper in 4 hours. Just something to keep in mind.

Additional data capture using Mview log
I want to create a Mview log on my table of source of change data capture. Every day I use the data in Mlog Update/Insert the target table. After that I truncates the mlog.

I am facing two problems:

(1) by updating the source table, I get 'U' value to the title of the column OLD_NEW$ $. How do I know that it is old or new. I just want ' o 'or' not so that I can identify which is the new value of the values.

(2) suppose a record is updated several times in the source table, or a record is inserted and then deleted, in this case it is not possible to simply use $ $ $ OLD_NEW = 'n' to fetch the differentials. In this case, how can I identify new records.

CREATE TABLE src_t (KEY NUMBER, VARCHAR2 val (1), CONSTRAINT t_pk PRIMARY KEY (KEY));

CREATE materialized VIEW LOG ON t WITH sequence (val), PRIMARY KEY, including the new VALUES;
The problem you have is that you do not use the published work procedures.

A fast refresh uses the journal of
A full update truncates the log.

That said, what you do is
-Buying a car
-Remove the motor
-Use it as a bike

You shouldn't touch with internal logs. It will create havoc. Mark my words. You have been warned.
---------
Sybrand Bakker
Senior Oracle DBA

Change the option Data Capture option $ v
Hello

When I run the following query:

Select the parameter, the value of the option $ v

I noticed that the change data capture is FALSE, it means that I can't use the change data capture.
I want to let you know that we use an ORACLE 10 g 2 standard edition.

Best regards
That is right.
Re: A FEW streams available in the Standard edition features?

ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

Hi-

We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

Networks:

Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)

See details below on our config:

SH run card cry

card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

outside_map interface card crypto outside

Note:
Getting to hit numbers below on rules/ACL...

SH-access list. I have 54.0

permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

SH run | I have access-group
Access-group outside_access_out outside interface

NOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

HS cry his ikev1

IKEv1 SAs:

HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 2

1 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE

SH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.

SH run | I have political ikev1

ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400

SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interface

NOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local

# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

The IPSEC tunnel check - seems OK?

SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX

#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBB

SAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

SH cap CAP

34 packets captured

1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

SH cap A2

42 packets captured

1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

--> Package trace on 5512 does no problem... but we cannot ping from host to host?

entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc

...

Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow

--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

Destination - initiator:

entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79

...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...

Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

Please let us know what other details we can provide to help solve, thanks for any help in advance.

-SP

Well, I think it is a NAT ordering the issue.

Basically as static and this NAT rule-

NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

To check just run a 'sh nat"and this will show you what order everthing is in.

The ASA is working its way through the sections.

You also have this-

NAT source auto after (indoor, outdoor) dynamic one interface

which does the same thing as first statement but is in section 3, it is never used.

If you do one of two things-

(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

or

(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

Then you can simply try to rearrange so your static NAT is above it just to see if it works.

Just in case you want to see the document here is the link-

https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

Jon

ASA VPN with ISE and different backends WBS for authentication

Hello

I have an AAA-problem I hope to have a few problems help.

The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

BACKGROUND:

I'll try to give you a brief picture of the scenario, this is what I currently have.

A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

(1) certificate (on chip card)

(2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

(3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

The choice corresponds to different groups of profiles/Tunnel connection.

Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

THE PROBLEM:

The problem occurs when I try to put in the ISE in the mixture.

What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

WHAT WE CALL:

At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

QUESTION:

The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

Best regards

/ Mattias

I think you can hit the following problem:

CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

Workaround

Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

Data capture ASA VPN

Similar Questions

Maybe you are looking for