05-11-2016 07:50 AM
ISE 2.0 with AnyConnect RA VPN. I am trying to use the internal user's identity group as the Class attribute to assign a group policy on the ASA. I've tried both IdentityGroup:Name and InternalUser:IdentityGroup in my Authorization Profile:
Access Type = ACCESS_ACCEPT
Class = IdentityGroup:Name
Both configurations end up including the attribute title along with the attribute value:
Result
State ReauthSession:c0a800fe000a100057331935
Class User Identity Groups:Contractor
If I use the AD Department value, all that is returned is the attribute value, not the attribute title
Result
State ReauthSession:c0a800fe00095000573234a5
Class IT
How can I use the Internal User Identity Group to assign the Class Value to the ASA for Group-Policy?
Solved! Go to Solution.
05-12-2016 06:55 AM
Hi,
Are you trying for the following in an authorization profile?
Access Type = ACCESS_ACCEPT
Class = Contractor
Regards,
-Tim
05-12-2016 06:55 AM
Hi,
Are you trying for the following in an authorization profile?
Access Type = ACCESS_ACCEPT
Class = Contractor
Regards,
-Tim
05-17-2016 03:13 AM
Yes. I am getting the whole string but only need the value. I am getting "User Identity Groups:Contractor". The ASA is expecting "Contractor". How do I strip off "User Identity Groups"?
05-17-2016 07:38 AM
I don't believe you can strip that part of the attribute. Would it be possible to create group policy on the ASA that matches the Class value returned? For example:
Auth Profile:
Access Type = ACCESS_ACCEPT
Class = IdentityGroup:Contractor
ASA Group Policy:
IdentityGroup:Contractor
Regards,
-Tim
05-17-2016 08:48 AM
I can try that as a workaround. Is there another way to accomplish what I am trying to do?
05-17-2016 10:19 AM
I believe you may use a value of a regular attribute (built-in or customized) for an internal user.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: