
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2018 01:14 PM
Users exist on a RSA server and are organized by groups. I need a way to permit or deny VPN users based on their RSA group. I have RSA passing back the group name upon authentication. I can see it in RSA logs. I don't see it in ISE. I get the authentication success but not the group attribute. These are anyconnect users.
When I look at authentication logs in ISE, there is a CiscoAVPair ip:source-ip and it returns the ip address. I think it's a default value. I want that but for a group, CiscoSecure-Group-ID.
How can I authorize these users based on Radius Group Attribute? I've been through many documents and multiple TAC engineers.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2018 01:48 PM
You can unicast the details and the TAC SR and I can take a look: howon@cisco.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2018 11:58 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2018 08:57 AM
The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.
ISE CiscoSecure-Group-Id - syntax used in ISE.
RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.
Authorization policy sets in ISE were simple once it started to accept the group name value from RSA.
Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2018 01:48 PM
You can unicast the details and the TAC SR and I can take a look: howon@cisco.com

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2019 08:07 AM
Hi, I am having the same problem solved back in 2018 this post is about. The problem is I went through so many TAC cases. What has changed is new ASA's and ISE 2.4. I have a TAC case but I don't think we are on the same page. See, I have a lab with older ASA that authenticates against ISE which authenticates against RSA and the RSA group attribute is passed back. The group is what ISE authorizes access by. It works. In the newer ASA against the same ISE/RSA and policy sets does not work. The RSA group attribute doesn't pass. It doesn't make sense.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2018 02:19 PM
As far as I am concerned, RSA only sends pass or fail back to ISE. It is interesting that you mention that you can see in the logs that it sends the group information.
What you can do is collect a TCPDump from ISE to your RSA and verify if there is any group information observed from RSA to ISE.
What I have seem multiple times is if the VPN user exists in both RSA and AD, once can create an Identity Sequence that does authentication to RSA and attribute retrieval to AD. Then, based on the AD groups you can create the Authorization Rules based on that.
But that seems to be different than what you have.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2018 08:57 AM
The problem is the syntax does NOT match between RSA and ISE for the Radius Attribute. That's different than any documentation I have found. We were able to get this working with a TAC case and trial and error.
ISE CiscoSecure-Group-Id - syntax used in ISE.
RSA ACS:CiscoSecure-Group-Id - syntax for attribute assigned to Radius profile.
Authorization policy sets in ISE were simple once it started to accept the group name value from RSA.
Wiring shark didn't help this as RSA sent it how we assigned the attribute to the Radius profile.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2018 09:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2018 11:58 AM
