Solved: Internal User Identity Group as an ASA Class Value

scamarda · ‎05-11-2016

ISE 2.0 with AnyConnect RA VPN. I am trying to use the internal user's identity group as the Class attribute to assign a group policy on the ASA. I've tried both IdentityGroup:Name and InternalUser:IdentityGroup in my Authorization Profile:

Access Type = ACCESS_ACCEPT

Class = IdentityGroup:Name

Both configurations end up including the attribute title along with the attribute value:

Result

State ReauthSession:c0a800fe000a100057331935

Class User Identity Groups:Contractor

If I use the AD Department value, all that is returned is the attribute value, not the attribute title

Result

State ReauthSession:c0a800fe00095000573234a5

Class IT

How can I use the Internal User Identity Group to assign the Class Value to the ASA for Group-Policy?

Timothy Abbott · ‎05-12-2016

Hi,

Are you trying for the following in an authorization profile?

Access Type = ACCESS_ACCEPT

Class = Contractor

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎05-12-2016

Hi,

Are you trying for the following in an authorization profile?

Access Type = ACCESS_ACCEPT

Class = Contractor

Regards,

-Tim

scamarda · ‎05-17-2016

Yes. I am getting the whole string but only need the value. I am getting "User Identity Groups:Contractor". The ASA is expecting "Contractor". How do I strip off "User Identity Groups"?

Timothy Abbott · ‎05-17-2016

I don't believe you can strip that part of the attribute. Would it be possible to create group policy on the ASA that matches the Class value returned? For example:

Auth Profile:

Access Type = ACCESS_ACCEPT

Class = IdentityGroup:Contractor

ASA Group Policy:

IdentityGroup:Contractor

Regards,

-Tim

scamarda · ‎05-17-2016

I can try that as a workaround. Is there another way to accomplish what I am trying to do?

hslai · ‎05-17-2016

I believe you may use a value of a regular attribute (built-in or customized) for an internal user.