Thank you Mohammed. We are using Win10 built-in VPN client which is presenting User certificate to ASA for authentication, should I use ikev2 remote-authentication eap query-identity or ikev2 remote-authentication certificate ? Ref: tunnel-group DefaultRAGroup ipsec-attributes ikev2 remote-authentication eap query-identity ikev2 local-authentication certificate VPN_Certificate ... View more

I have. On the Chassis, the management interface(one of the data interface change type to mgmt.) allocated for ASA is up and inside ASA interface status showing up and up. but when I connect my laptop directly to that interface with the same subnet IP not able to ping in any direction. ... View more

Hi Rahul, Thanks for the reply. My machine(laptop) is not enable with ipv6, I have assigned ipv4 address to the management interface where I have connected my laptop directly with the same subnet of IP address and tried pinging management ip, not responding.   ... View more

Hi, Didn't get this- can i assign that MGMT interface to other onboard available interface. Actually , Firepower 4100 series MGMT interface is only for Chassis Management. If you create any logical devices ( ex: ASA or FTD) on the chassis you have to use one of the data interface as a management interface for logical devices ( interface type should be change to mgmt. before assigning to the Logical devices. hope this helps. ... View more

Hello Richard, Thanks for looking into it, sorry for the uncertainty in the question.   I need to configure FXOS Chassis Authentication/Authorization for remote management via a remote RADIUS server only. However I have been advised that you need to create the same users locally on the chassis to use RADIUS Authentication/Authorization.   For example if one of the Network Admin users Authentication/Authorization by RADIUS is called John then I need to create a local user account for John on FXOS Chassis as well   This is not a feasible solution since there are too many accounts that use RADIUS Servers for Authentication/Authorization  and it would not be practical to create those users locally on the FXOS Chassis.   ... View more

Thank you, Rahul,   Basically, I need to do two checks: 1) If the user initiating VPN connection from the internal wifi subnet, the user device should be verified by AD device membership group for authentication   2)If the user initiating VPN connection from the Internet,  the user device and user should be verified from  AD device membership group and AD VPN users membership group. This is my requirement...so before passing to authentication I need to verify the source IP address of clients VPN connection, based on that authentication will be done. If I write a control Plane ACL with source IP addresses as internal wifi subnet and stick it to the outside interface... only those connections(internal) will be accepted and any other source IP address connections ( for instance external users - Internet addresses) will be blocked. but I need to allow these connections as well and identify as the external user so authentication will be passed to the AD for User and Device group memberships verifications. How do I achieve this? below configuration is OK for Internal users : no sysopt connection permit-vpn access-list vpn_internal_users extended permit tcp inetnal_wifi_subnet mask host VPN_gateway eq 443 access-group vpn_internal_users in int outside control-plane so only internal_wifi_subnet connections will be accepted, How do I allow external users connections? attaching a vpn-filter(with any any acl) within the group-policy of external users helps? ... View more

Thank you, Rahul. Thanks for testing in the lab as well. will discuss this with the client. Could you or anyone please answer my questions? and sample configuration? ... View more

In addition to above message, if I configure  vpn-tunnel-protocol as ssl-client and allow VPN connections on 443 from SSTP client ( ie win 10 native vpnclient using SSTP) , does this works?   ... View more

Hi Rahul and Mohammed,     As per below, https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#id_65223 IKEv2 Remote Access Clients IKEv2 support was added to the ASA in release 8.4. For IKEv2 remote access, the ASA only supported Cisco AnyConnect 3.0+ clients and no other third-party IKEv2 clients. From ASA release 9.3.2 and onward, we added interoperability with standards-based, third-party, IKEv2 remote access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).   Does that third-party covers SSTP clients ? please correct me if I am wrong.   ... View more

Thanks Rahul, You said, inner protocols are different, any idea what are the inner protocols ? is there a way to restrict win 10 native client to use tls 1.2 to connect to VPN? ... View more

Hi Mohammed, Thanks for the reply, I believe all ASA 9.3 and above versions support SSTP VPN connections but I haven't tested this yet. SSTP protocol is Client(Company) requirement due to some security reasons. VPN users PC's will be hardcoded to use SSTP protocol to connect VPN. ... View more