cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3458
Views
10
Helpful
8
Replies

ASA ignoring some RADIUS CoA attributes

ajtm
Level 1
Level 1

I'm setting up RA VPN using AnyConnect + ASA and authentication is performed on ISE.
Everything works fine and I'm able to assign Group Policies and DACLs using RADIUS.
Now I need to assign Group Policy based on ISE Posture result but ASA is ignoring Group Policy and Re-authentication Time attributes passed on RADIUS CoA. DACL value is processed without any problem!


My goal is to assign AnyConnect client profiles (AC Management VPN Profile) and reauthentication timer based on posture result (validates on registry that user logged in using domain machine).

8 Replies 8

@ajtm 

Does the ASA receive these RADIUS attributes? turn on ASA debugs to confirm, provide the output for review.

Are you using "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME> in the ISE AuthZ profile?

What version of ASA are you using?

@Rob Ingram 

Yes, I can see the attributes being returned running debugs on ASA. It seems they worked fine for RADIUS but not for RADIUS CoA.

We're testing on ASA 9.13(1).

 

Thanks

AM

hslai
Cisco Employee
Cisco Employee

This is expected. ASA policy updates via CoA are limited to ACLs/DACLs, and SGT updates.

I was not aware of that limitation.... it would be nice if we could also have group policy update.

 

Hi hslai,  I want to double-check your comment that ASA policy updates via CoA are limited to ACLs/DACLs and SGT updates.

I have a user that I need to assign a static IP address retrieved from their Dial-In settings in Active Directory.  I have exlcuded this IP address from ASA VPN Pool so it cannot be assigned to another user.  I actually followed the procedure found at the link below.  https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

 

I can see ISE sending the framed IP address attribute in the Authorization however ASA never applies this to the client.  So based on your comments, is this a limitation? 

Just resolved this by enabling Use Authentication Server in my ASA and now I am getting static IP.  Thanks.

Peter Koltl
Level 7
Level 7

I can hardly interpret switching the Group-policy. You can switch to another SGT or DACL but a client profile is not something you switch. The XML profile has already downloaded then a CoA is supposed to change it? The XML will not be deleted if has already been downloaded.

Hi Peter,

 

In this situation I need to disconnect computers that are not posture compliant and assign AnyConnect Management Tunnel profile to compliant computers. How else can I do this?

 

Regards

Antonio