Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
5
Helpful
3
Replies

EAPTunnel is not available in Policy Set / Matching PEAP

Go to solution
kylerossd
Level 4
Level 4

‎02-05-2021 08:54 PM

Hello,

 

EAPTunnel is not an option under the policy set Network Access conditions.  It is however an option inside the policy set for Authorization, which does not help me.  I need to differentiate between PEAP and TLS so that one flow hits an external RADIUS server sequence.  How would one go about matching PEAP with RADIUS or another condition?

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-06-2021 07:25 PM

It's part of the fix for CSCvc98033 to remove such conditions, because such attributes are not yet available for a new endpoint session at the time of selecting a policy set.

As a result, you need to pick something else. Perhaps to use patterns of Radius:User-Name.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎02-06-2021 06:40 AM

Hi @kylerossd ,

 if you are able to use the Dictionary Cisco-VPN3000 and the Attribute CVPN3000/ASA/PIX7x-Tunnel-Group-Name on the Conditions of the Policy > Policy Sets, then you will be able to use an specific External Identity Sources or Identity Source Sequences on the Authentication Policy.

 

Hope this helps !!!

0 Helpful

Go to solution
kylerossd
Level 4
Level 4
In response to Marcelo Morais

‎02-06-2021 07:18 PM

Thank you for the reply.  Unfortunately these are all coming off the same switch.  I wish there was a way to classify them before they accessed the policy set or have external RADIUS server and AD join points inside the same policy set.  But, this is not possible.  I am not aware of any RADIUS AV Pair that would match PEAP or TLS.  The only option that I can think of is do a regex looking for the domain(s).  like RADIUS:User-Name MATCHES .*(domainabc.com)$.  I guess this would work but it is .... ugly.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-06-2021 07:25 PM

It's part of the fix for CSCvc98033 to remove such conditions, because such attributes are not yet available for a new endpoint session at the time of selecting a policy set.

As a result, you need to pick something else. Perhaps to use patterns of Radius:User-Name.

0 Helpful
Customers Also Viewed These Support Documents