Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2454
Views
10
Helpful
8
Replies

ASA ignoring some RADIUS CoA attributes

ajtm
Level 1
Level 1

‎06-07-2021 06:40 AM

I'm setting up RA VPN using AnyConnect + ASA and authentication is performed on ISE.
Everything works fine and I'm able to assign Group Policies and DACLs using RADIUS.
Now I need to assign Group Policy based on ISE Posture result but ASA is ignoring Group Policy and Re-authentication Time attributes passed on RADIUS CoA. DACL value is processed without any problem!


My goal is to assign AnyConnect client profiles (AC Management VPN Profile) and reauthentication timer based on posture result (validates on registry that user logged in using domain machine).

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎06-07-2021 08:08 AM

@ajtm 

Does the ASA receive these RADIUS attributes? turn on ASA debugs to confirm, provide the output for review.

Are you using "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME> in the ISE AuthZ profile?

What version of ASA are you using?

0 Helpful

ajtm
Level 1
Level 1
In response to Rob Ingram

‎06-07-2021 08:18 AM

@Rob Ingram 

Yes, I can see the attributes being returned running debugs on ASA. It seems they worked fine for RADIUS but not for RADIUS CoA.

We're testing on ASA 9.13(1).

 

Thanks

AM

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎06-08-2021 07:13 AM

This is expected. ASA policy updates via CoA are limited to ACLs/DACLs, and SGT updates.

ajtm
Level 1
Level 1
In response to hslai

‎06-08-2021 05:05 PM

I was not aware of that limitation.... it would be nice if we could also have group policy update.

 

0 Helpful

Ricky Sandhu
Level 1
Level 1
In response to hslai

‎11-03-2021 02:20 AM

Hi hslai,  I want to double-check your comment that ASA policy updates via CoA are limited to ACLs/DACLs and SGT updates.

I have a user that I need to assign a static IP address retrieved from their Dial-In settings in Active Directory.  I have exlcuded this IP address from ASA VPN Pool so it cannot be assigned to another user.  I actually followed the procedure found at the link below.  https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

 

I can see ISE sending the framed IP address attribute in the Authorization however ASA never applies this to the client.  So based on your comments, is this a limitation? 

0 Helpful

Ricky Sandhu
Level 1
Level 1
In response to Ricky Sandhu

‎11-03-2021 02:28 AM

Just resolved this by enabling Use Authentication Server in my ASA and now I am getting static IP.  Thanks.

0 Helpful

Peter Koltl
Level 7
Level 7

‎06-10-2021 02:09 PM

I can hardly interpret switching the Group-policy. You can switch to another SGT or DACL but a client profile is not something you switch. The XML profile has already downloaded then a CoA is supposed to change it? The XML will not be deleted if has already been downloaded.

0 Helpful

ajtm
Level 1
Level 1
In response to Peter Koltl

‎06-10-2021 03:09 PM

Hi Peter,

 

In this situation I need to disconnect computers that are not posture compliant and assign AnyConnect Management Tunnel profile to compliant computers. How else can I do this?

 

Regards

Antonio

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents