Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Authorization Profile Attr 25 Group_Name

Hey all,

I am trying to finalize my ISE Checkpoint Radius connection for VPN Authentication. Only problem I have, in authorization process, I want ISE to send first Group of user (I am authenticating internally) to checkpoint as attr 25. 

However ISE sends "User Identity Group:Group_Name" which checkpoint does not understand prefix. I need class 25 attribute as only Group_Name to be delivered to checkpoint. Can I twick ISE to do that by creating new attribute in dictionary maybe?

Thanks in advance!

PS:. I know I can create several Profiles with manually added Group names and create Policies based on OU but I want it to be one policy where first group name will be delivered automatically but without prefix.


Arne Bier
VIP Advisor

Hi @OrkhanRustamli 


There is no way to manipulate the RADIUS Attribute strings in the Authorization profile. E.g. if you wanted to strip/add some text to an attribute :-( - this should be a standard feature of any RADIUS server - but ISE is very prescriptive in this regard.


You wanted to map only the Identity Group name to the RADIUS Class attribute - ISE has a Common Task for that called "ASA-VPN" - it automatically brings up the drop down list - and if you choose Identity Group Name, then ISE still prefixes the Group Name with the string "User Identity Groups:" - is there any feature in the Checkpoint that allows you to match on a regex?

Content for Community-Ad