topic Re: ASA ignoring some RADIUS CoA attributes in Network Access Control

ASA ignoring some RADIUS CoA attributes

ajtm — Mon, 07 Jun 2021 13:40:27 GMT

I'm setting up RA VPN using AnyConnect + ASA and authentication is performed on ISE.
Everything works fine and I'm able to assign Group Policies and DACLs using RADIUS.
Now I need to assign Group Policy based on ISE Posture result but ASA is ignoring Group Policy and Re-authentication Time attributes passed on RADIUS CoA. DACL value is processed without any problem!

My goal is to assign AnyConnect client profiles (AC Management VPN Profile) and reauthentication timer based on posture result (validates on registry that user logged in using domain machine).

Re: ASA ignoring some RADIUS CoA attributes

Rob Ingram — Mon, 07 Jun 2021 15:08:41 GMT

@ajtm

Does the ASA receive these RADIUS attributes? turn on ASA debugs to confirm, provide the output for review.

Are you using "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME> in the ISE AuthZ profile?

What version of ASA are you using?

Re: ASA ignoring some RADIUS CoA attributes

ajtm — Mon, 07 Jun 2021 15:18:52 GMT

@Rob Ingram

Yes, I can see the attributes being returned running debugs on ASA. It seems they worked fine for RADIUS but not for RADIUS CoA.

We're testing on ASA 9.13(1).

Thanks

Re: ASA ignoring some RADIUS CoA attributes

hslai — Tue, 08 Jun 2021 14:13:19 GMT

This is expected. ASA policy updates via CoA are limited to ACLs/DACLs, and SGT updates.

Re: ASA ignoring some RADIUS CoA attributes

ajtm — Wed, 09 Jun 2021 00:05:27 GMT

I was not aware of that limitation.... it would be nice if we could also have group policy update.

Re: ASA ignoring some RADIUS CoA attributes

Peter Koltl — Thu, 10 Jun 2021 21:09:28 GMT

I can hardly interpret switching the Group-policy. You can switch to another SGT or DACL but a client profile is not something you switch. The XML profile has already downloaded then a CoA is supposed to change it? The XML will not be deleted if has already been downloaded.

Re: ASA ignoring some RADIUS CoA attributes

ajtm — Thu, 10 Jun 2021 22:09:27 GMT

Hi Peter,

In this situation I need to disconnect computers that are not posture compliant and assign AnyConnect Management Tunnel profile to compliant computers. How else can I do this?

Regards

Antonio

Re: ASA ignoring some RADIUS CoA attributes

Ricky Sandhu — Wed, 03 Nov 2021 09:20:58 GMT

Hi hslai, I want to double-check your comment that ASA policy updates via CoA are limited to ACLs/DACLs and SGT updates.

I have a user that I need to assign a static IP address retrieved from their Dial-In settings in Active Directory. I have exlcuded this IP address from ASA VPN Pool so it cannot be assigned to another user. I actually followed the procedure found at the link below. https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

I can see ISE sending the framed IP address attribute in the Authorization however ASA never applies this to the client. So based on your comments, is this a limitation?

Re: ASA ignoring some RADIUS CoA attributes

Ricky Sandhu — Wed, 03 Nov 2021 09:28:06 GMT

Just resolved this by enabling Use Authentication Server in my ASA and now I am getting static IP. Thanks.