Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3944
Views
0
Helpful
2
Replies

ASA Attribute 146 _Tunnel-group name in policy condition on NPS Windows Radius server_Anyconnect VPN

Go to solution
NDP
Level 1
Level 1

‎06-13-2020 07:33 AM

Thank you all for your wonderful support

 

ASA has couple of tunnel-groups as below

(1) Admin VPN - full tunnel

(2) Admin-Split - Split Tunnel 

(3) VPN for all associates

 

configured aaa-server group with radius protocol

 

I see that Cisco ASA is sending attribute 146(tunnel-group name) to Radius server while requesting for authentication and authorization.

 

is there anyway Network Policy server ( windows Radius) can consider this as another condition along with group-membership validation. 

 

if someone has come across this kind of requirement, Please advise me.Thank you

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-14-2020 04:24 AM - edited ‎06-14-2020 04:29 AM

Hi,

I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.

 

NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.

 

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎06-14-2020 04:24 AM - edited ‎06-14-2020 04:29 AM

Hi,

I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.

 

NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.

 

HTH

0 Helpful

Go to solution
NDP
Level 1
Level 1
In response to Rob Ingram

‎06-14-2020 10:40 PM

Hi Rob,

 

Thank you for your time

 

"Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users"  -- This worked. NSP has sent an attribute ( 25- class ) which is telling ASA to provide user with group-policy. 

 

But, the main problem, when user is part of multiple groups to get required group-policy, NPS is always validating against only first match authentication. Based on your input, It is not possible. Thank you :-)

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents