This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have a setup with ASA and ACS 5.0 and are trying to send Radius attribute Class (25) back from the ACS to the ASA to assign Group-policy.
The problem we have is that the ACS responds with somekind of session-id in as value for the class-attribute (for example "SERVERXX/12345678/08") instead of the value we have configured (for example "OU=GRP1").
Have we configured something wrong?
This is an evaluation-version of ACS.
Before you can enable attributes on a per-user basis, you must enable the Per-user TACACS+/RADIUS Attributes option on the Advanced Options page in the Interface Configuration section. After enabling per-user attributes, a user column will appear as disabled in the Interface Configuration page for that attribute.
I cannot find this option in ACS 5.0.
I do receive per-user attibutes, the only thing is that the class-attribute contains the wrong information (i.e. not the information i typed in).
There is in fact a bug open for this issue and it is planned to be included in the next patch for 5.0, patch 8. This should be posted to CCO by the week ending Aug 28th
ACS 22.214.171.124.8 cumulative patch is ready on CCO and includes this fix
Download from: CCO / Support / Download Software
Select: Security / Identity Management / Cisco Secure Access Control System / 126.96.36.199
Patch filename: 5-0-0-21-8.tar.gpg
Readme and installation instructions: Acs-188.8.131.52.8-Readme.txt