Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
5
Replies

how to make ise pass back a radius group attribute

Go to solution
mulhollandm
Level 1
Level 1

‎02-13-2017 11:53 AM - edited ‎03-11-2019 12:27 AM

folks

i have an ISE 2.0 vm and i'm authenticating users on an ssl vpn with the ise radius service

users, on ise, are put into separate identity groups and i'm trying to allocate ip addresses on my ssl vpn server based on identity group but i don't

see ise passing the group attribute back to the vpn server 

does anyone know how i can do this?

thanks to anyone taking the time to reply

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to mulhollandm

‎02-14-2017 10:45 AM

Take a look at the link below. It is a detailed video for an older version of ISE but it should give you enough details to get things going and get you familiar with the solution:

http://www.labminutes.com/sec0111_ise_12_anyconnect_vpn_radius_authentication_authorization_1

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-13-2017 01:34 PM

Hi there. I have a couple of questions:

1. What is your VPN solution provider?

2. What attributes are you returning back from ISE with the authorization profile?

Thank you for rating helpful posts!

0 Helpful

Go to solution
mulhollandm
Level 1
Level 1
In response to nspasov

‎02-13-2017 02:39 PM

neon

many thanks for your response, its much appreciated

I'm new to ise so I'm not sure how all the components work together

I don't have any authorisation policy configured, I simply have the user accounts configured and added into groups

is this what I'm maybe missing?

thanks again

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to mulhollandm

‎02-14-2017 10:45 AM

Take a look at the link below. It is a detailed video for an older version of ISE but it should give you enough details to get things going and get you familiar with the solution:

http://www.labminutes.com/sec0111_ise_12_anyconnect_vpn_radius_authentication_authorization_1

Thank you for rating helpful posts!

0 Helpful

Go to solution
mulhollandm
Level 1
Level 1
In response to nspasov

‎02-22-2017 07:01 AM

neno

many thanks for your help

I eventually spoke to tac and it turned out that the issue was with my authorisation policy

I was passing back the permit attribute rather than the group attribute

so again, thanks for your help and contribution, it was much appreciated

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to mulhollandm

‎02-24-2017 11:14 AM

Good to hear! Glad I was able to help! :)

0 Helpful
Customers Also Viewed These Support Documents