cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

517
Views
0
Helpful
2
Replies
Highlighted
Beginner
Beginner

ASA Attribute 146 _Tunnel-group name in policy condition on NPS Windows Radius server_Anyconnect VPN

Thank you all for your wonderful support

 

ASA has couple of tunnel-groups as below

(1) Admin VPN - full tunnel

(2) Admin-Split - Split Tunnel 

(3) VPN for all associates

 

configured aaa-server group with radius protocol

 

I see that Cisco ASA is sending attribute 146(tunnel-group name) to Radius server while requesting for authentication and authorization.

 

is there anyway Network Policy server ( windows Radius) can consider this as another condition along with group-membership validation. 

 

if someone has come across this kind of requirement, Please advise me.Thank you

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: ASA Attribute 146 _Tunnel-group name in policy condition on NPS Windows Radius server_Anyconnect VPN

Hi,

I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.

 

NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.

 

HTH

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Re: ASA Attribute 146 _Tunnel-group name in policy condition on NPS Windows Radius server_Anyconnect VPN

Hi,

I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.

 

NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.

 

HTH

View solution in original post

Highlighted
Beginner
Beginner

Re: ASA Attribute 146 _Tunnel-group name in policy condition on NPS Windows Radius server_Anyconnect VPN

Hi Rob,

 

Thank you for your time

 

"Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users"  -- This worked. NSP has sent an attribute ( 25- class ) which is telling ASA to provide user with group-policy. 

 

But, the main problem, when user is part of multiple groups to get required group-policy, NPS is always validating against only first match authentication. Based on your input, It is not possible. Thank you :-)