Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
639
Views
0
Helpful
2
Replies

Radius using ISE for VPN connections

jrounkles
Level 1
Level 1

‎05-29-2013 09:04 AM - edited ‎03-10-2019 08:28 PM

We are new to ISE and want to use Radius for VPN connection authentication. We have it where it will log the connection time but we are not getting the disconnect time. Can someone provide some insight or guidance on how to configure that? We also want to narrow down the authentication to a specific group (i.e. VPN Client).

Labels:
0 Helpful
2 Replies 2

Richard Atkin
Level 4
Level 4

‎06-01-2013 11:31 PM

No Disconnect time is likely a RADIUS Accounting problem on the ASA.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-02-2013 12:00 AM

If you are not seeing a stop packet then there could be an issue with session being used. Have you tracked the ISE logs with the session-id?

Can you provide the output of show run | in aaa and show run | in tunnel-group ( from the ASA?

Also run the debugs

debug aaa accounting

debug radius

Connect via  vpn, check for the start packet and session-id, disconnect the session and look again for stop packet. Grab the output of accounting from the ASA and paste here.

In order to restrict user to a specific group, with ISE we can create an authorization rule using external group: AD group and radius-IETF class attribute with a specific group-policy name.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents