Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2868
Views
0
Helpful
6
Replies

ISE authorization based on Radius Attributes from RSA

Go to solution
spacey96
Level 1
Level 1

‎08-23-2018 01:14 PM

Users exist on a RSA server and are organized by groups. I need a way to permit or deny VPN users based on their RSA group. I have RSA passing back the group name upon authentication. I can see it in RSA logs. I don't see it in ISE. I get the authentication success but not the group attribute. These are anyconnect users.

When I look at authentication logs in ISE, there is a CiscoAVPair ip:source-ip and it returns the ip address. I think it's a default value. I want that but for a group, CiscoSecure-Group-ID.

 

How can I authorize these users based on Radius Group Attribute? I've been through many documents and multiple TAC engineers.

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-23-2018 01:48 PM

You can unicast the details and the TAC SR and I can take a look: howon@cisco.com

View solution in original post

0 Helpful

Go to solution
spacey96
Level 1
Level 1
In response to jalemanp

‎08-31-2018 08:57 AM

The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.

 

ISE CiscoSecure-Group-Id - syntax used in ISE.

RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.

Authorization policy sets in ISE were simple once it started to accept the group name value from RSA. 

 

Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-23-2018 01:48 PM

You can unicast the details and the TAC SR and I can take a look: howon@cisco.com

0 Helpful

Go to solution
spacey96
Level 1
Level 1
In response to howon

‎11-26-2019 08:07 AM

Hi, I am having the same problem solved back in 2018 this post is about. The problem is I went through so many TAC cases. What has changed is new ASA's and ISE 2.4. I have a TAC case but I don't think we are on the same page. See, I have a lab with older ASA that authenticates against ISE which authenticates against RSA and the RSA group attribute is passed back. The group is what ISE authorizes access by.  It works. In the newer ASA against the same ISE/RSA and policy sets does not work. The RSA group attribute doesn't pass. It doesn't make sense. 

 

 

 

0 Helpful

Go to solution
jalemanp
Cisco Employee
Cisco Employee

‎08-23-2018 02:19 PM

Hello,

As far as I am concerned, RSA only sends pass or fail back to ISE. It is interesting that you mention that you can see in the logs that it sends the group information.
What you can do is collect a TCPDump from ISE to your RSA and verify if there is any group information observed from RSA to ISE.

What I have seem multiple times is if the VPN user exists in both RSA and AD, once can create an Identity Sequence that does authentication to RSA and attribute retrieval to AD. Then, based on the AD groups you can create the Authorization Rules based on that.

But that seems to be different than what you have.
0 Helpful

Go to solution
spacey96
Level 1
Level 1
In response to jalemanp

‎08-31-2018 08:57 AM

The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.

 

ISE CiscoSecure-Group-Id - syntax used in ISE.

RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.

Authorization policy sets in ISE were simple once it started to accept the group name value from RSA. 

 

Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile. 

0 Helpful

Go to solution
spacey96
Level 1
Level 1
In response to spacey96

‎08-31-2018 09:00 AM

Wire shark did validate the attribute was sent and received by ISE. But it didn't help in finding correct syntax for ISE to actually accept the attribute return value. That was trial and error.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents