08-23-2018 01:14 PM
Users exist on a RSA server and are organized by groups. I need a way to permit or deny VPN users based on their RSA group. I have RSA passing back the group name upon authentication. I can see it in RSA logs. I don't see it in ISE. I get the authentication success but not the group attribute. These are anyconnect users.
When I look at authentication logs in ISE, there is a CiscoAVPair ip:source-ip and it returns the ip address. I think it's a default value. I want that but for a group, CiscoSecure-Group-ID.
How can I authorize these users based on Radius Group Attribute? I've been through many documents and multiple TAC engineers.
Solved! Go to Solution.
08-23-2018 01:48 PM
You can unicast the details and the TAC SR and I can take a look: howon@cisco.com
08-30-2018 11:58 AM
08-31-2018 08:57 AM
The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.
ISE CiscoSecure-Group-Id - syntax used in ISE.
RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.
Authorization policy sets in ISE were simple once it started to accept the group name value from RSA.
Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile.
08-23-2018 01:48 PM
You can unicast the details and the TAC SR and I can take a look: howon@cisco.com
11-26-2019 08:07 AM
Hi, I am having the same problem solved back in 2018 this post is about. The problem is I went through so many TAC cases. What has changed is new ASA's and ISE 2.4. I have a TAC case but I don't think we are on the same page. See, I have a lab with older ASA that authenticates against ISE which authenticates against RSA and the RSA group attribute is passed back. The group is what ISE authorizes access by. It works. In the newer ASA against the same ISE/RSA and policy sets does not work. The RSA group attribute doesn't pass. It doesn't make sense.
08-23-2018 02:19 PM
08-31-2018 08:57 AM
The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.
ISE CiscoSecure-Group-Id - syntax used in ISE.
RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.
Authorization policy sets in ISE were simple once it started to accept the group name value from RSA.
Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile.
08-31-2018 09:00 AM
08-30-2018 11:58 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: