Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3594
Views
0
Helpful
2
Replies

ASA DAP using Radius IETF-25 Class Attribute

ben.posner
Level 1
Level 1

‎10-09-2009 07:48 AM - edited ‎03-10-2019 04:43 PM

Has anyone ever got the ASA's DAP to trigger on the IETF Radius Class attribute? Am i supposed to use 25 for the class attribute, or 4121 (4096+25)? do i enter the exact string i have in the class field in ACS into the value field? For example, In ACS I have in my user group A "ou=GroupPolicy1" entered into the IETF-25 Class field.

side question, can i use multiple entries in this ACS field and will DAP parse on them all? for instance, i would like to have a super user of a group have an extra class statement that gives them rights above and beyond their peers.

thanks for any help you can provide!

Labels:
0 Helpful
2 Replies 2

hdashnau
Cisco Employee
Cisco Employee

‎10-14-2009 10:33 AM

When you are creating the DAP, select "RADIUS" as the aaa attribute type. The "attribute ID" should be 25. The "value" will be whatever you have specified on your ACS (ie for you it would be ou=GroupPolicy1)

You can try passing multiple values and you can confirm DAP parses them in the debugs (debug dap error and debug dap trace) -- you will see lines in the debugs like "aaa.radius["25"] = xxxx" where xxx is what you have set.

You can create and match multiple DAP records if you want; if you do set it up with multiple DAP records, you can also use the above DAP debugs to confirm which DAP policies are being selected (you will see it towards the bottom of the debugs)

-heather

0 Helpful

ben.posner
Level 1
Level 1
In response to hdashnau

‎10-14-2009 11:39 AM

Hi Heather,

I wasn't able to get the radius 25 attribute to work at all. I had read somewhere that you had to add 4096 to the attribute number and so i tried 4121 as well but that didn't work either. I ended up resorting to the cisco.username attribute and that works well so far.

I was trying to get multiple statements in the Class attribute to parse and using DAP make both groups access combine. turns out only the first class is read and understood as far as i can tell. so i'll have to put users into groups using the group as the basis of the security profile and use the DAP to parse the name of hte user if i need to add or subtract any other special access needs.

Ben

0 Helpful
Customers Also Viewed These Support Documents