msgbartop
msgbarbottom

26 Mar 14 Broadcast multiple SSID’s – Cisco Standalone Access Points

How to broadcast multiple SSID’s on Cisco Access Points

Usually using the command guest-mode under the SSID configuration on a Cisco Access Point you can broadcast a single SSID. I needed to actually broadcast multiple SSID’s on Cisco 1240 Access Points running the following code: Version 12.4(10b)JDA3. In that case I used the following configuration options.

interface dot11radio #
mbssid
!
dot11 ssid CORP
mbssid guest-mode
!
dot11 ssid GUEST
mbssid guest-mode

I used the following two links during my research.

  • http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_7_JA/configuration/guide/i1237sc/s37ssid.html#wp1050170
  • http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-_3g_JA/configuration/guide/ios1243gjaconfigguide/s43ssid.html#wp1035858

[sz-gplus-one size=”medium” annotation=”bubble”/]

Tags: , ,

07 Feb 14 EEM Script for clearing – Cisco IOS

EEM Script example to clear stuff in Cisco IOS

I had to recently clear the DHCP Conflict log from a Cisco Router as it was filling up and not allowing devices to get back on the network in a specific situation. Well instead of doing it manually I just decided to give Cisco EEM Script a try. And it worked out pretty good :). Another scenario I used was clearing DHCP bindings and arp.

EEM Script – Clear DHCP Conflict Log

event manager applet CLEAR_DHCP_CONFLICT (This is applets name)
event timer watchdog time 172800 (Using the watchdog option I allowed it to run every 48 hours)
action 1.0 cli command “enable”
action 2.0 cli command “clear ip dhcp conflict *”
action 3.0 syslog msg “IP DHCP Conflict log has been cleared successfully” (syslog msg enabled me to trigger a syslog message)

EEM Script – Clear DHCP Bindings and Arp Cache

event manager applet CLEAR_DHCP_CONFLICT
event timer watchdog time 172800
action 1.0 cli command “enable”
action 2.0 cli command “clear ip dhcp binding *”
action 3.0 cli command “clear arp”
action 4.0 syslog msg “IP DHCP bindings and Arp Cache have been cleared”

So Cisco EEM Scripting is pretty cool. Possibilities are endless.

Tags: , ,

26 Dec 13 Cisco WLC2504 Boot loader Failure

Cisco WLC2504 Boot Loader Failure Error

So today I had a Cisco WLC 2504 crash and it would not come back online after a reboot. So I gained access to it via Cisco Console cable to see what is going on with it. And I was presented with the following screen/error:

WLCNG Boot Loader Version 1.0.16 (Built on Feb 28 2011 at 13:14:54 by cisco)
Board Revision 0.0 (SN: PSZ17xxxxx, Type: AIR-CT2504-K9) (P)
Verifying boot loader integrity…
##########################################
### IMPROPER SYSTEM OPERATION DETECTED ###
### ———————————- ###
### System has been halted because: ###
### 1. Boot loader failed verification ###

WLC 2504 BootLoad Failure

I was hoping that this is something that can be recovered and we can bring the Cisco 2504 WLC back online. After some searching and talking to Cisco TAC, basically it just needed to be RMAed. Thank God to Cisco Smartnet :), was able to get it back up and running in a couple of hours.

Tags: , ,

24 Dec 13 Testing dial tone and Outbound calling from Cisco Router and FXO Card

Dial tone and Outbound calling – Cisco Router/FXO Card

Recently I had a need to test and determine if there was a dial tone on the Cisco FXO Card installed into a Cisco 2911 router. I knew that telco terminated the pots lines on the 66 block but I did not know if they were plugged into the Cisco FXO card. I did not have any one onsite to give me a visual confirmation. So I found out about couple of cool debug commands to accomplish this:

debug vpm signal
debug vpm all

Here are the steps I took:

  • First I used a test Cisco IP phoneon my desk and set it up with this offices extension in Cisco Call Manager
  • Next I setup the debug commands debug vpm all on the router with term mon
  • Next I tried to dial out from my test phone and since the Cisco Call Manager was setup to use the FXO card for the calling, it tried to dial out using one of the FXO ports
  • Now take a look at the debug message from the Cisco Router

#htsp_allocate_if —

Nov 27 10:31:46.468: HTSP endpoint_info=aaln/S0/SU0/0, type=2, under_specified=0,
service_type=2htsp_allocate_if: MATCH!

Nov 27 10:31:46.472: htsp_timer_stop3 htsp_setup_req
Nov 27 10:31:46.472: Orig called num:16152324144
Nov 27 10:31:46.472: htsp_process_event: [0/0/0, FXOLS_ONHOOK, E_HTSP_SETUP_REQ]fxols_onhook_setup
Nov 27 10:31:46.472: [0/0/0] set signal state = 0xC timestamp = 0
Nov 27 10:31:46.472: dsp_set_sig_state: [0/0/0] packet_len=12 channel_id=128 packet_id=39 state=0xC timestamp=0x0
Nov 27 10:31:46.472: TGRM: reg_invoke_tgrm_call_update(0, 0, 0, 65535, 1, TGRM_CALL_BUSY, TGRM_CALL_VOICE, TGRM_DIRECTION_OUT)
Nov 27 10:31:46.472: htsp_timer – 1300 msec
Nov 27 10:31:46.728: htsp_process_event: [0/0/0, FXOLS_WAIT_DIAL_TONE, E_DSP_SIG_1100]fxols_power_denial_detected
Nov 27 10:31:46.728: htsp_timer2 – 1000 msec
Nov 27 10:31:46.728: htsp_timer_stop
Nov 27 10:31:47.728: htsp_process_event: [0/0/0, FXOLS_WAIT_DIAL_TONE, E_HTSP_EVENT_TIMER2]fxols_power_den_disc
Nov 27 10:31:47.728: htsp_timer_stop
Nov 27 10:31:47.728: htsp_timer_stop2
Nov 27 10:31:47.728: [0/0/0] set signal state = 0x4 timestamp = 0
Nov 27 10:31:47.728: dsp_set_sig_state: [0/0/0] packet_len=12 channel_id=128 packet_id=39 state=0x4 timestamp=0x0
Nov 27 10:31:47.728: mars_flex_dsprm_current_codec_comp:DSP:0 FLEX Complexity Codec htsp_release_req: cause 34, no_onhook 0
Nov 27 10:31:47.728: htsp_process_event: [0/0/0, FXOLS_ONHOOK, E_HTSP_RELEASE_REQ]fxols_onhook_release
Nov 27 10:31:47.728: TGRM: reg_invoke_tgrm_call_update(0, 0, 0, 65535, 1, TGRM_CALL_IDLE, TGRM_CALL_VOICE, TGRM_DIRECTION_OUT)
Nov 27 10:31:47.728: flex_dsprm_close_cleanuphtsp_allocate_if —

Nov 27 10:31:47.780: HTSP endpoint_info=aaln/S0/SU0/1, type=2, under_specified=0,
service_type=2htsp_allocate_if: MATCH!

If you look at lines above you will notice that it clearly did not get a dial tone and hence my called failed. With this information I was able to verify if someone connected the cables from the 66 block to the Cisco FXO Card. I could have also used this same technique to see if there was dial tone on the pots lines on the 66 block. In case there is no butt set is available

Tags: , , , ,

19 Dec 13 Cisco Voice Gateway not Re Registering with Cisco Call Manager

Cisco Voice Gateway lost registration with Cisco Call Manager and not re registering

So VoIP is a whole new world to me and in the last two months I have learnt a whole lot. Pretty interesting stuff especially once you know it obviously lol. But troubleshooting can be a pain at times. Recently one of the Cisco router with a PRI lost its registration with the Cisco Call Manager – CUCM. None of the phones were working for outbound dialing however local extension dialing was working. When I logged into the Cisco Router and issued the following command: show ccm. I noticed that it is going back and forth trying to register with the Primary and Backup Cisco Call Manager. I looked at the settings on the Cisco Router and all VoIP related config was right. I tried to do no mgcp and then mgcp still no use. Then I started to run a debug to see what is happening and hopefully debug will give me some indication on the issue. Following commands were issued on the router:

  • debug mgcp events
  • debug mgcp errors
  • term mon

Here is what I saw in the log:

Dec 18 13:42:30.080: S0/SU0/DS1-0/* mgcp_endpt_parent_redirected: parent S0/SU0/DS1-0/*, child S0/SU0/DS1-0/23
Dec 18 13:42:30.080: S0/SU0/DS1-0/23 mgcp_endpt_set_notified_entity:
Dec 18 13:42:30.080: S0/SU0/DS1-0/23 mgcp_endpt_set_notified_entity:ne 10.206.110.20:2427, ne addr 10.206.110.20:2427
Dec 18 13:42:30.080: S0/SU0/DS1-0/23 mgcp_endpt_set_call_agent:
Dec 18 13:42:30.080: S0/SU0/DS1-0/23 mgcp_endpt_redirect_children:
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.080: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=4, conn_mode=3
Dec 18 13:42:30.084: mgcp_is_transient: callp->state=0, conn_mode=0
Dec 18 13:42:30.084: MGCP sys msg: (15)
Dec 18 13:42:30.084: xlate sys msg: (15, 4539B688)
Dec 18 13:42:30.084: sys msg values: (INVALID MGCP EVENT, 0, , 1108831796, CALL_IDLE)
Dec 18 13:42:30.084: process mgcp_handle_cmapp_event
Dec 18 13:42:30.084: mgcp_cmapp_send_rsip: Send-RSIP: Sending gw host is XYZ1-RTR-01.mydomain.com, endpt is *
Dec 18 13:42:30.084: mgcp_cmapp_send_rsip_to_callmgr: Send RSIP – Pass-in: ipaddr=10.206.110.20 ca_port=2427
Dec 18 13:42:30.084: * mgcp_root_get_profile:
Dec 18 13:42:30.084: * mgcp_send_rsip_msg:
Dec 18 13:42:30.084: * mgcp_endpt_record_rsip:
Dec 18 13:42:30.084: * mgcp_send_rsip_msg: Manually recroding RSIP method
Dec 18 13:42:30.084: * mgcp_endpt_record_rsip:
Dec 18 13:42:30.084: * mgcp_enq_retx_rsip_msg
Dec 18 13:42:30.084: mgcp_add_trans_id_rec: Add trans id (689668931, 46CBEB70) record
Dec 18 13:42:30.084: mgcp_stw_timer_start timer type 0, duration 500
Dec 18 13:42:30.652: MGC stat – 10.202.110.36, total=340539, succ=340048, failed=146
Dec 18 13:42:30.652: mgcpapp_process_mgcp_msg :
Dec 18 13:42:30.660: * mgcp_msg_ack
Dec 18 13:42:30.660: MGC stat – 10.202.110.36, total=340539, succ=340049, failed=146
Dec 18 13:42:30.660: * mgcp_check_for_redirection: endpt * was not redirected
Dec 18 13:42:30.660: [S] mgcp_msg_ack:6166,Updating (*)=10.202.110.36
Dec 18 13:42:30.660: * mgcp_msg_ack: Removing msg : RSIP 689668929 *@XYZ1-RTR-01.mydomain.com MGCP 0.1
RM: graceful
Dec 18 13:42:30.664: * mgcp_msg_ack: Setting the restart method to NONE
Dec 18 13:42:30.664: mgcpapp_process_socket
Dec 18 13:42:30.664: MGC stat – 10.206.110.20, total=313, succ=169, failed=143
Dec 18 13:42:30.664: mgcpapp_process_mgcp_msg :
Dec 18 13:42:30.664: * mgcp_msg_ack
Dec 18 13:42:30.664: MGC stat – 10.206.110.20, total=313, succ=169, failed=144
Dec 18 13:42:30.664: * mgcp_check_for_redirection: endpt * was not redirected
Dec 18 13:42:30.664: * mgcp_msg_ack: Removing msg : RSIP 689668931 *@XYZ1-RTR-01.mydomain.com MGCP 0.1
RM: restart
Dec 18 13:42:30.664: * mgcp_msg_ack: Setting the restart method to NONE
Dec 18 13:42:30.664: mgcpapp_process_socket
Dec 18 13:42:30.960: unreachable detected
Dec 18 13:42:30.960: mgcp_cr_and_init_evt_node:$$$ the node pointer 46FA4428

After looking at the debug I noticed that the registration was failing for the host “XYZ1-RTR-01.mydomain.com”. When I looked in the Cisco Call Manager I noticed that the registered name was “XYZ-RTR-01.mydomain.com”. So since the host name of the Cisco Voice Gateway hence it was no longer valid in the Cisco Call Manager. I simply updated the name in Cisco Call Manager and the Cisco Voice Gateway successfully re registered with the Cisco Call Manager – CUCM.

Tags: , , , , , , , ,

31 Aug 13 No Shut Cisco router interface automatically – EEM Script

How to re enable a Cisco router interface after shutting it down automatically

Recently I had a need to shutdown a Cisco router interface for testing, but then I needed it to be re enabled after a min or so. Well since it was a remote router I did not have console access to it, no dial up access to it either. I had an option to do a reload in xxx, but I really did not want the whole router reloaded. Thanks to Cisco Event Manager EEM Scripting :), it came to my rescue. Here are a few examples that I ended up using for my testing.

EEM Script examples that I used utilized multiple parameters, there is so much more you can do but these are just very basic for what I needed to accomplish:

EEM Script – “no shut” after 60 seconds

event manager applet NOSHUT1
event timer countdown time 60
action 1 cli command “enable”
action 2 cli command “configure terminal”
action 3 cli command “interface serial0”
action 4 cli command “no shut”

The only thing about this script was that it ran only once and that is it, countdown time would not reset, so to take care of that issue I used another option.

EEM SCript – “no shut” after 60 seconds and reset counter

event manager applet NOSHUT
event timer watchdog time 60
action 1 cli command “enable”
action 2 cli command “configure terminal”
action 3 cli command “interface serial0”
action 4 cli command “no shut”

Now with this script I would shut down an interface and after 60 seconds script re enabled it and reset the counter again. Which means when I shut the interface down again, EEM Script would re enable it again after the counter reached “0”.

EEM Script – “no shut” after detecting a pattern in the log

event manager applet NOSHUT3
event syslog pattern “Interface Serial0, changed state to administratively down”
action 1 cli command “enable”
action 2 cli command “configure terminal”
action 3 cli command “interface serial0”
action 4 cli command “no shut”

This last one pretty much looks for certain patterns in the log and if it matches, script will run and perform the actions you specify. In my case I just did a “no shut” on the serial 0 interface. So this can give you an idea on how powerful EEM Scripting can be and we can accomplish so much utilizing EEM Scripting :).

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 . Terms and conditions of using this site

Tags: , , , ,

22 May 13 ASA 8.4 NAT with specific ports

Cisco ASA NAT specific ports TCP/UDP Version 8.4

So we all are pretty much used to the new Cisco ASA 8.3+ NAT, Auto NAT and Twice NAT. I am writing this article on, “how to NAT single or multiple specific ports to a single Public IP address”. When and why would you want to do this? Well some companies can’t afford to have a huge range of Public IP addresses and/or they might be running out or they have way to many internal servers/resources. Using this method Public IP’s can be conserved and can be used for multiple internal resources instead of just one.

Scenario 1

First let me give you an example if you just want to simply NAT an internal IP to a Public IP on Cisco ASA running version 8.4. Example, we have an internal IP of 10.1.1.10 and Public IP of 1.1.1.1:

object network obj-10.1.1.10
host 10.1.1.10
nat (inside,outside) static 1.1.1.1

That is it now you can create an access list for the specific need you have for that server lets say people from the outside need to access it over 443:

access-list outside_in extended permit tcp any gt 1024 host 10.1.1.10 eq 443

Scenario 2

Now some one from the outside can type “https://1.1.1.1” or associated FQDN and access this web server. But what happens if you need another Public IP address for another internal resource and need 22 (ssh) opened up for it. You already used up your last IP address. So when I ran into such issue I did this:

object network obj-10.1.1.10 (Server 1)
host 10.1.1.10
exit
object network obj-10.1.1.20 (Server 2)
host 10.1.1.20
exit
object network obj-1.1.1.1 (Public IP)
host 1.1.1.1
exit
object service HTTPS (Created a service object for HTTPS)
service tcp source eq 443
exit
object service SSH (Created a service object for SSH)
service tcp source eq 22
exit
nat (inside,outside) source static obj-10.1.1.10 obj-1.1.1.1 service HTTPS HTTPS (NAT1-SERVER1)
nat (inside,outside) source static obj-10.1.1.20 obj-1.1.1.1 service SSH SSH (NAT2-SERVER2)

access-list outside_in extended permit tcp any gt 1024 host 10.1.1.10 eq 443
access-list outside_in remark **** Access list for Server 1 HTTPS Access ****
access-list outside_in extended permit tcp any gt 1024 host 10.1.1.20 eq 22
access-list outside_in remark **** Access list for Server 2 SSH Access ****

Using this method I was able to use a single Public IP and assign it to multiple internal servers on different Ports i.e 443 and 22. Now if someone uses 443 for the public IP of 1.1.1.1 they will get to the internal server 10.1.1.10. Now if someone uses SSH to the Public IP 1.1.1.1 they will get to the Internal server 10.1.1.20. Similarly I can utilize this one Public IP Address and assign it to other internal resources and other ports such as 21, 80, 25 etc

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 . Terms and conditions of using this site

Tags: , , ,

21 Nov 12 Internet traffic and Cisco AnyConnect

Routing Internet traffic when using Cisco AnyConnect – Cisco ASA 5520 Code 8.4

Previously I worked on Cisco AnyConnect VPN Configuration on Cisco ASA 5520 running 8.4 code. Now since everything is working good I was able to access all the internal resources however I was unable to access the Internet. Now I need to be able to give users access to the Internet. There are two ways of doing this:

  • Split tunneling
  • Tunnel All Traffic

If I do split tunneling users will be able to access the Internet when they are using Cisco AnyConnect VPN, however they will be using their local Internet and it is not considered very secure. So I decided to send their Internet Traffic via Cisco AnyConnect VPN as well so when they go out to the Internet they will be going out via the corporate connection. Here are quick examples of both:

Split Tunneling

If you want to do split tunneling then look at the screen shot below. Under Group Policy you will go to: “Advanced –> Split Tunneling”, then change the Policy to “Tunnel Network List Below”, under Network List change that to access list associated. Access List will look something like this:

“access-list ACL-NAME extended permit ip object-group INSIDE-NETWORK object-group REMOTE-VPN-NETWORK”.

Split Tunnel Cisco ASA 5520

Here is how the command line will look:
group-policy SPLIT-TUNNEL internal
group-policy SPLIT-TUNNEL attributes
banner value You are accessing a secure system, all activity will be logged.
wins-server value 192.168.0.2 192.168.0.13
dns-server value 192.168.0.2 192.168.0.12
vpn-simultaneous-logins 10
vpn-idle-timeout 240
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-ACL
default-domain value XXXX.COM
split-tunnel-all-dns enable

Tunnel All

Now with this method all traffic including the Internet traffic will traverse through the Cisco AnyConnect VPN and will utilize the corporate Internet Connection to go online. Group Policy will look look this:
Tunnel All Cisco ASA 5520

Here is how the command line will look like:
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2 192.168.0.12
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value xxx.com

Now there is a small step that I performed so that outgoing traffic from all the remote users will use a different Public IP address than what is defined on the outside interface. Also the key term here is that in order to Tunnel All Traffic all VPN traffic needs to be able to make a “U” turn i.e go out the same interface it came from. There are a couple of commands that were needed for that part such as:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now for the NATing a different public IP here is what I did:

object network AnyConnect
subnet 172.16.0.128 255.255.255.128
nat (outside,outside) dynamic x.x.x.x

I took the AnyConnect network and made it go back out the outside interface with a different public IP

Tags: , , , , , , , ,

15 Nov 12 Configuring Netflow on Cisco ASA 5520

Cisco ASA 5520 Netflow Configuration Example

Cisco Netflow is a pretty awesome tool. It really gives you a deep insight into your network, bandwidth utilization. Recently I had to configure Netflow on a Cisco 5520 and just sharing my notes. There are basically 3 parts to it, 1- Create a destination and configure attributes, 2- Access list, 3- Creating a policy map. Correct me if I am wrong but I believe you need at least 8.2.x code on the ASA Firewall for Netflow V9. Anything below Netflow v9 is not supported on the Cisco ASA any ways.

So I was using Cisco ASA 5520, running 8.4.3 code. Here are my steps:

flow-export destination inside netflow-server-ip 2055 (2055 is the port)
flow-export delay flow-create 30 (Short identical flows as one)
flow-export template timeout-rate 1 (1 min is by default)
!
access-list netflow-hosts extended permit ip any any (Access list for netflow)
class-map netflow-traffic (Define a class for netflow)
match access-list netflow-hosts (Map the access list created earlier to the class)
!
policy-map global_policy (enter global policy)
class inspection_default
class netflow-traffic (This maps the class created earlier to the Policy)
flow-export event-type all destination netflow-server-ip (This tells the class to send all events to the destination)

So this is a pretty straightforward example of how I configured Netflow on the Cisco ASA 5520 running 8.4.3 code. Then I fired up wireshark on the Netflow server and I was able to see all the Netflow traffic. Under Protocol Column in Wireshark you will see it as CFLOW. I recommend that you can check out other resources on Cisco’s website or Google to get even better understanding of Cisco Netflow and how to implement it in different devices.

Tags: , , ,

05 Nov 12 Configure Microsoft NPS 2008 for Cisco AnyConnect VPN

Microsoft NPS 2008 Server configuration for Cisco AnyConnect VPN Client

Previously I explained how I configured Cisco AnyConnect VPN on the Cisco ASA 5520. In that configuration instead of using the Local Authentication I utilized RADIUS Authentication. In this article I am going to talk about how I configured the RADIUS Server – Microsoft NPS 2008 to provide Authentication for Cisco AnyConnect clients.

Since Cisco ASA configuration has already been explained I’m only putting the Microsoft NPS 2008 Server steps here:

  • I started with creating a new profile, under Overview I left the settings as shown in the picture below: (Note: you can name the policy whatever you like)
  • Next under Conditions, there are two things I had to add. 1) Windows Group that I wanted to allow to be able to use Cisco AnyConnect VPN, 2) NAS IPv4 Address = Cisco ASA’s inside interface IP
  • Next under Constraints, the only thing I changed was the Authentication Method I set it up for MS-CHAP-v2. There are other methods available as well but for now I just picked this
  • That is it after all these steps and saving my settings I added a test user into my AnyConnect group and was able to sign into the Cisco AnyConnect VPN. As soon as I took that user out of that group I was no longer able to sign in.

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo :).

Tags: , ,

WordPress SEO