08-15-2013 08:16 AM - edited 03-10-2019 08:46 PM
ASA version 8.4(5), AnyConnect clients, Cisco ACS 4.2
I need to pass on (inbound RADIUS attribute) to ACS what tunnel-group is being used to establish a VPN session. I don't see this as an option anywhere ... does anyone know if this is possible?
Thanks, Jeff K
08-15-2013 12:35 PM
I believe that should be enabled by default on the ASA, however i don' remember what version this was introduced in, but it was quite recent, so maybe your 8.4.5 doesnt send the tunnel-group name in the radius request.
08-16-2013 04:52 AM
Thanks for that info Jan. I will try a newer version and report back what I find. Jeff K
08-23-2013 10:22 AM
I discovered the "Tunnel Group Name" attribute was added in ASA 8.4.3 ... see release notes.
It turns out our actual problem is that ACS Windows 4.x does not recognize this new attribute.
I opened a TAC case and hooked up with a great support engineer. She found a patch (put together a while back for another customer) to update an ACS 4.x databse so it will recognizes the Tunnel Group Name attribute.
Thanks Eli!
Jeff K
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: