Hy!

I would like to use a third-party radius server for RAvpn authentication, i can authenticate the anyconnect clients without any problem.

I also would like to authorize them to be member of a particular sgt group so i send the Cisco-AVPair = "cts:security-group-tag= xyz" attribute back to firepower.

SGT pushing seems to work:

ftdv2# sh vpn-sessiondb anyconnect filter name kornel

Session Type: AnyConnect

Username : kornel Index : 1835
Assigned IP : 192.168.66.207 Public IP : blabla
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14979 Bytes Rx : 4000
Group Policy : teszt Tunnel Group : tesztes
Login Time : 14:26:57 UTC Mon Oct 24 2022
Duration : 0h:37m:01s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 000000000072b0006356a0b1
Security Grp : 5 Tunnel Zone : 0

When i set up a logging rule matching the vpn traffic the sgt source and destination group is empty.

so what else should i do to tag the traffic? or can't FTD tag and classify the ravpn packets?

i also tried to trace a security group tagged packet, and i got the following result:

ftdv2# packet-tracer input public tcp inline-tag 5 192.168.66.207 12222 192.101.91 445

.

.

Action: drop
Drop-reason: (ifc-not-cmd-enabled) Interface not configured for CMD packets, Drop-location: frame 0x000055d2bb7c6cdf flow (NA)/NA