cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

864
Views
0
Helpful
4
Replies
Highlighted
Beginner

Enable Raduis Attributes for Group Lock

Hi All,

I've been trying to configure group lock feature with an ACS 5.2 and a ASA. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.

In the old ACS 4.x you can enable or disable the attributes to be shown in the User or Group Settings in Interface Configuration menu, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?

Best Regards!

Marco

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Rising star

When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type

There are about 146 attribute. You can filter it by ID.

You can define a Authorization Profiles in

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles

And then use it in the access policies.

View solution in original post

Highlighted

I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.

In ""Compound Condition", we only need use "IN" attribute.

On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.

View solution in original post

4 REPLIES 4
Highlighted
Rising star

When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type

There are about 146 attribute. You can filter it by ID.

You can define a Authorization Profiles in

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles

And then use it in the access policies.

View solution in original post

Highlighted

Thank you Yudong!

I've tried your advice and it works fine, users can only log in in the specified tunnel-group, but I have a couple of questions.

Why it is not possible to select Attribute 85 (CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock) in a "Compound Condition" in Access Policies? There are just 44 possible attributes instead of the 153 attributes that are definen in the Radius Dictionary (System Administration->Configuration->Dictionaries->Protocols->Raduis)

The other situation is that even when the user is denied I do not see any failure try. Just Success, who can I look for authorization logs?

Highlighted

I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.

In ""Compound Condition", we only need use "IN" attribute.

On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.

View solution in original post

Highlighted

Thank you Yudong.

I also was checking what kind of attributes pupulates the list of attributes avialable in Compound Condition and it seems it just use those which have BOTH as value in the Direction property. I also tried changing the value to BOTH of that property in attribute 85 and used it in a Compound Condition but it did not not work =)

It will be a kind of difficult to troubleshoot this because the ASA logs show a successful authentication and successful authorization just as the ACS does.

Any way, it works fine.

Thank you very much for your valuable time and knowledge.

Content for Community-Ad