topic Did you get it resolved? I in Network Access Control

Setting up VPN group for ACS5.5

bmack2121 — Mon, 11 Mar 2019 05:45:02 GMT

I am trying to a group in the ACS5.5 that allows users to be able to connect. I have created a network group called ASA-VPN and have it set for radius and tacacs. The ACS is linked to AD. I am lost on what to do next as far ass rules or attributes. I've dealt with ISE before but not the ACS.

Take a look at the following

nspasov — Fri, 22 May 2015 17:53:40 GMT

Take a look at the following link as it outlines a step-by-step process:

https://supportforums.cisco.com/document/139141/remote-access-vpn-authentication-acs-5x-using-radius-protocol

Let us know if you are still having issues.

Thank you for rating helpful posts!

I am still a little lost. The

bmack2121 — Sun, 24 May 2015 15:32:05 GMT

I am still a little lost. The default network access policy has already been set up. I've defined my ASA in the Network and AAA client list. I've went to AD under External Identity and add the VPN Allowed geoup under directory Groups. Now I am stuck on what to do next as far as policy Elements and Access Policies.

Did you get it resolved? I

nspasov — Tue, 26 May 2015 17:56:06 GMT

Did you get it resolved? I see the thread is marked as "answered" but still wanted to confirm. If you are still having issues please post screen shots of your policies.

I was trying to rate your

bmack2121 — Tue, 26 May 2015 18:46:02 GMT

I was trying to rate your post 5/5 but I guess that marks it as answered. I can't do screen shots due to our policy but I will describe it the best I can.

1. Under Policy Elements > Auth & Permissions > Network Access > Authroization Profiles:

I created a profile (I didn't touch common tasks)

a. RADIUS Attributes: I've added a class string value similar to what was in ACS4.x

2. Under Access Policies > Access Services > "VPN" > I checked Identity and Authorization

a. Under Allowed Protocols I've selected them all except preffered EAP and marked Radius Access Request User name

3. Under Identity I chose AD_CERT

4. Under Authorization I created a policy called "VPN Ac" > Compound condition from AD/VPN Access which results to VPN Access and login allow

5. The network devices has been created as well.

From a high level it sounds

nspasov — Tue, 26 May 2015 20:28:08 GMT

From a high level it sounds correct. What happens when a user tries to authenticate?

I haven't went live on this

bmack2121 — Tue, 26 May 2015 20:33:02 GMT

I haven't went live on this ACS yet. Still using the old. I have to go in to the ASA and do a few more configurations then I will test it out tonight. Fingers Crossed!

Ah ok, so one thing you could

nspasov — Tue, 26 May 2015 20:38:51 GMT

Ah ok, so one thing you could do is create a new VPN tunnel group and tied that to the the ACS server(s) so you can test it that way.

That may be safer but I am

bmack2121 — Tue, 26 May 2015 20:55:54 GMT

That may be safer but I am truely lost on how to do that one. You mean create a tunnel group in the ASA then create it in the ACS correct?

What I meant is:1. Create a

nspasov — Tue, 26 May 2015 21:01:36 GMT

What I meant is:

1. Create a new AAA group in the ASAs that reference the new ACS servers

2. Create another VPN profile (tunnel-group) in the ASAs. For example, test-vpn

3. Tie the AAA (authentication and authorization) of the new test-vpn to the new AAA server group that has the new ASAs

4. Test connection

I hope this helps!

Now I can connect through my

bmack2121 — Tue, 16 Jun 2015 18:33:35 GMT

Now I can connect through my new ACS. It will show my username on the ACS when I log in via VPN and it will also show clientless, subject not found in identity store" with my same IP listed in red right above it. I must have a rule set wrong or something. Any idea?