Hi,    Does anyone have any idea how to configure Anyconnect to obtain a static ip address when using an MFA app like Azure MFA. At the moment I have an ASA pointed towards a Microsoft NPS server with the Azure MFA extension. I have configured each user with a static ip address under the dial in tab. Without the MFA authentication, i.e. just authenticating against AD, the attributes can be passed down from the NPS server towards the ASA, but as soon as you enable the Azure MFA in the NPS - the attributes stop being passed down.    I have also tried pointing the ASA at an ACS, which is configured to act as a Radius proxy, which then queries the NPS/MFA setup, with an identical user account also created in the ACS and a static ip address configured under each user account. But this fails too - due to 'Radius client encountering an error during processing flow'.    I am now beginning to wonder if it is at all possible to configure a static ip address alongside a MFA solution, whether that is Azure/Duo etc. Can anyone help in anyway on this? ... View more

Hi,   I am looking at configuring an ISE server as a radius server.   I need to be able to match on internal users and allocate them to a specific authorization profile as some of the attributes are user-specific (static ip address, static routes) and some can be grouped together and applied via an authorization profile, i.e. VRF.  basically some users have mutliple lines and they will be grouped together into their own VRF.   At the moment - I cannot see how it is possible to match against an internal users - I was hoping to use the 'user group's attribute configured when creating each user account. But, I am having trouble configuring ISE to accept this as an authorization condition, my syntax is something as follows:   Internal-User:User-group = 'user-group-name'   With the 'user-group-name' field being the actual value configured under the user account.   Does anyone have any experience with match on internal users, to be able to apply an authorization profile to them?   Best wishes   Mike ... View more

Hi, I wondered if anyone has any general advice on how to troubleshoot an issue we are seeing with a new wifi deployment using legacy clients (802.11a/b/g only) with a 5508 controller and 2702 access-points. The software version of the wireless controller is 8.0.140.0. Basically we have good coverage throughout our deployment, having had both an initial survey and a post deployment survey. The issue seems to be that some legacy clients (about 20) continually disassociate from the network. The cause is unknown - i.e. It is not clear whether they cannot roam or something else happens. In the log buffer, the 2 messages we see over and over are below: *dot1xMsgTask: May 14 20:39:48.126: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:509 Max EAPOL-key M1 retransmissions exceeded for client 00:10:20:4a:13:44 *apfMsConnTask_6: May 14 20:39:43.064: %APF-4-ASSOCREQ_PROC_FAILED: apf_80211.c:5991 Failed to process an association request from 00:10:20:4a:13:44. WLAN:1, SSID:NLC_SCANNERS. message with invalid supported rate. Compared with the previous hardware (a ringmaster/juniper setup) - our 5508 is configured slightly differently, i.e. uses wpa2 with static key) (instead of WEP), we have different mandatory rates (18mbps on Cisco vs Juniper of 1,2,5.5 and 11) - all the remaining rates on the Cisco are supported, as they were on the juniper.  I know it looks strange to have a different mandatory rate set - but they do seem to initially associate at least. Obviously I can also see that the logs are full of unsupported rates (which seems to suggest we have set a 'g' rate in an environment where there are 'b' only clients, but why would they still be able to associate at all? One other major difference is that we have 802.11n enabled on the Cisco, whereas I think it was disabled on the Juniper setup (even though it was capable of it). Can anyone suggest a way forward with this? First thing in the morning I will enable a debug client [mac]for a specifc client, and post that too.. Best wishes Mike ... View more

Hi, I am having an issue getting sftp to work and it seems to be caused by the ASA. I can sftp from the open internet from my home pc to the destination using filezilla, but not using the same machine when I use the corporate connection. Despite allowing my ip address throuhg the firewall out to all destinations. Of course the sftp service providers blame our firewall, and it is hard to disagree, although when you start to look at the details it may not be as simple as that. Does anyone know whether sftp is supported through the ASA - although it seems as though it is a much simpler protocol than ftp, i.e. no control and data channel, just a single channel. The code version we are using is 9.4(2)11. What is interesting is the ASA capture shows the 3-way handshake being setup, and then straight away, it received a FIN-ACK from the other side. Which is as if the server or server firewall is seeing the 3rd packet of the 3 way handshake as a FIN. Unfortunately the other side is not a Cisco device so there is not much in the way of logs. Has anyone seen anything like this before? Best wishes Mike I can attach captures is required. ... View more

Hi, I have recently upgraded our ACE30 blades from 2.1 to 3.3, and have seen that there are a large number of dropped connections for one particular site starting at the same time I moved over to the upgraded ACE. This is out of about 10 or sites. The failing traffic is largely an external monitoring company trying to send an HTTP post through the ACE, and this keeps failing. When they change their monitoring probe to a GET, it apparently starts working... I can post show service-policy detail, or anything else for that matter, if anyone would be able to help? If anyone would be able to make any suggestions that would be a massive help. Best wishes Mike ... View more

Hi, I wondered if anyone has any experience in bundling 2 fibre broadband links together, we need extra capacity for a wireless network that is used for guest wifi and testing purposes. The single circuit currenly has a b/w of around 50Mb, but I was thinking of ordering another circuit, and then running glbp between the 2 routers. I have labbed this on gns3 and it seems to run fine - I just wondered if there are any known pitfalls to this? Best wishes Mike ... View more

Hi, I am seeing a constant issue whereby the anyconnect client is still trying to proxy anyconnect ssl connections - despite the fact that the websense policy 'should' be bypassing anyconnect traffic, as well as vpnui.exe. I understand that this may seem more of a websense config issue than anyconnect, but I thought I would ask to see if anyone else has experienced this problem, which version of anyconnect client people are using to avoid this issue, and also to ask if anyone knows why anyconect is still trying to proxy this traffic?   The version pf anyconnect I am using is 3.1.0.913   Thanks for any help.   Mike ... View more