Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
25
Helpful
1
Replies

ISE + ASA VPN: How to see VPN Pool address in ISE Live Logs?

Go to solution
cpaquet
Level 1
Level 1

‎03-10-2022 06:51 AM

What command needs to be added to the ASA, so the ASA passes the IP address it has assigned to a VPN client while using a Local IP address pool?

 

I have assigned the local ASA VPN Pool in either Connection-Profile (Tunnel-Group) or in Group-Policy, but in either case, the IP address is not appearing in ISE Live Logs.  See attachments.

 

In the Live Log details, I can see the real IP address of the VPN host, but not the IP address assigned to Anyconnect.  The real IP address is reported as "Calling Station Id" (AV31).

 

I thought that maybe the ASA could pass the AV8: Frame-IP-Address - would this be the AnyConnect IP address?

What is the command to type in the ASA? I can't find it (the ASA equivalent to cmd:  'radius-server attribute 8')

 

Thank you.

Preview file
262 KB
Preview file
74 KB
1 Accepted Solution

Accepted Solutions

Go to solution
cpaquet
Level 1
Level 1

‎03-10-2022 11:02 AM

Solved!  The Virtual IP address of AnyConnect clients are now appearing in ISE Live Logs.

I was missing the RADIUS ACTG on ISE.  The client Virtual IP address is referred to as "Framed-IP-Address" as I wrote in my question above.  That AV8 is actually passed through RADIUS ACCOUNTING, not RADIUS AUTHENTICATION.

By turning on ACTG, the VIP appeared in ISE Live Logs.   See attachments.

The answer is on slide 54 of this Cisco Live presentation.  Many thanks to Quintin H, another ISE enthousiast for recommending I have a peak that this CiscoLive PDF:   https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-2051.pdf

 

View solution in original post

Preview file
78 KB
Preview file
170 KB
1 Reply 1

Go to solution
cpaquet
Level 1
Level 1

‎03-10-2022 11:02 AM

Solved!  The Virtual IP address of AnyConnect clients are now appearing in ISE Live Logs.

I was missing the RADIUS ACTG on ISE.  The client Virtual IP address is referred to as "Framed-IP-Address" as I wrote in my question above.  That AV8 is actually passed through RADIUS ACCOUNTING, not RADIUS AUTHENTICATION.

By turning on ACTG, the VIP appeared in ISE Live Logs.   See attachments.

The answer is on slide 54 of this Cisco Live presentation.  Many thanks to Quintin H, another ISE enthousiast for recommending I have a peak that this CiscoLive PDF:   https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-2051.pdf

 

Preview file
78 KB
Preview file
170 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents