Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
4
Helpful
3
Replies

ASA RADIUS auth request with tunnel-group attribute

jkloet
Level 1
Level 1

‎08-15-2013 08:16 AM - edited ‎03-10-2019 08:46 PM

ASA version 8.4(5), AnyConnect clients, Cisco ACS 4.2

I need to pass on (inbound RADIUS attribute) to ACS what tunnel-group is being used to establish a VPN session.  I don't see this as an option anywhere ... does anyone know if this is possible?

Thanks, Jeff K

Labels:
0 Helpful
3 Replies 3

jan.nielsen
Level 7
Level 7

‎08-15-2013 12:35 PM

I believe that should be enabled by default on the ASA, however i don' remember what version this was introduced in, but it was quite recent, so maybe your 8.4.5 doesnt send the tunnel-group name in the radius request.

0 Helpful

jkloet
Level 1
Level 1
In response to jan.nielsen

‎08-16-2013 04:52 AM

Thanks for that info Jan.  I will try a newer version and report back what I find.  Jeff K

0 Helpful

jkloet
Level 1
Level 1

‎08-23-2013 10:22 AM

I discovered the "Tunnel Group Name" attribute was added in ASA 8.4.3 ... see release notes.

It turns out our actual problem is that ACS Windows 4.x does not recognize this new attribute.

I opened a TAC case and hooked up with a great support engineer.  She found a patch (put together a while back for another customer) to update an ACS 4.x databse so it will recognizes the Tunnel Group Name attribute.

Thanks Eli!

Jeff K

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents