05-29-2013 09:04 AM - edited 03-10-2019 08:28 PM
We are new to ISE and want to use Radius for VPN connection authentication. We have it where it will log the connection time but we are not getting the disconnect time. Can someone provide some insight or guidance on how to configure that? We also want to narrow down the authentication to a specific group (i.e. VPN Client).
06-01-2013 11:31 PM
No Disconnect time is likely a RADIUS Accounting problem on the ASA.
06-02-2013 12:00 AM
If you are not seeing a stop packet then there could be an issue with session being used. Have you tracked the ISE logs with the session-id?
Can you provide the output of show run | in aaa and show run | in tunnel-group
Also run the debugs
debug aaa accounting
debug radius
Connect via vpn, check for the start packet and session-id, disconnect the session and look again for stop packet. Grab the output of accounting from the ASA and paste here.
In order to restrict user to a specific group, with ISE we can create an authorization rule using external group: AD group and radius-IETF class attribute with a specific group-policy name.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide