cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1968
Views
0
Helpful
6
Replies
spacey96
Beginner

ISE authorization based on Radius Attributes from RSA

Users exist on a RSA server and are organized by groups. I need a way to permit or deny VPN users based on their RSA group. I have RSA passing back the group name upon authentication. I can see it in RSA logs. I don't see it in ISE. I get the authentication success but not the group attribute. These are anyconnect users.

When I look at authentication logs in ISE, there is a CiscoAVPair ip:source-ip and it returns the ip address. I think it's a default value. I want that but for a group, CiscoSecure-Group-ID.

 

How can I authorize these users based on Radius Group Attribute? I've been through many documents and multiple TAC engineers.

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
howon
Cisco Employee

You can unicast the details and the TAC SR and I can take a look: howon@cisco.com

View solution in original post

hslai
Cisco Employee

The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.

 

ISE CiscoSecure-Group-Id - syntax used in ISE.

RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.

Authorization policy sets in ISE were simple once it started to accept the group name value from RSA. 

 

Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile. 

View solution in original post

6 REPLIES 6
howon
Cisco Employee

You can unicast the details and the TAC SR and I can take a look: howon@cisco.com

Hi, I am having the same problem solved back in 2018 this post is about. The problem is I went through so many TAC cases. What has changed is new ASA's and ISE 2.4. I have a TAC case but I don't think we are on the same page. See, I have a lab with older ASA that authenticates against ISE which authenticates against RSA and the RSA group attribute is passed back. The group is what ISE authorizes access by.  It works. In the newer ASA against the same ISE/RSA and policy sets does not work. The RSA group attribute doesn't pass. It doesn't make sense. 

 

 

 

jalemanp
Cisco Employee

Hello,

As far as I am concerned, RSA only sends pass or fail back to ISE. It is interesting that you mention that you can see in the logs that it sends the group information.
What you can do is collect a TCPDump from ISE to your RSA and verify if there is any group information observed from RSA to ISE.

What I have seem multiple times is if the VPN user exists in both RSA and AD, once can create an Identity Sequence that does authentication to RSA and attribute retrieval to AD. Then, based on the AD groups you can create the Authorization Rules based on that.

But that seems to be different than what you have.

The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.

 

ISE CiscoSecure-Group-Id - syntax used in ISE.

RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.

Authorization policy sets in ISE were simple once it started to accept the group name value from RSA. 

 

Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile. 

Wire shark did validate the attribute was sent and received by ISE. But it didn't help in finding correct syntax for ISE to actually accept the attribute return value. That was trial and error.
hslai
Cisco Employee
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube