Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
5
Helpful
1
Replies

Radius Attribute forwarding in ISE

a.ascione
Level 1
Level 1

‎05-10-2017 05:31 AM - edited ‎03-11-2019 12:42 AM

Hello

I'm trying to forward a radius attribute (cisco-ip-pool-definition)  from an external identity source to my CISCO ASA vpn device.

I can see in the TCP Dump that the attribute is received from my external Radius server,

but I  am not able to create an authorization policy that matches and forwards this attribute.

In the configuration of the External Identity source, in the authorization tab I have Cisco.Secure.ID.

How can  I match this attribute in an authorization policy ?

Thanks in advance for your help

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎05-16-2017 07:16 PM

Oh this is a classic. I had the same problem and the solution is not documented by Cisco anywhere.

Here is the answer:

Your external radius server has to return a new CiscoAVPair attribute in the format:

CiscoAVPair:ACS:cisco-ip-pool-definition

The key thing in that Cisco AVPair is the prefix 'ACS' ... yes. I died laughing too...

The final value shown above (cisco-ip-pool-definition) can be replaced with anything and it does not relate to any IETF radius attribute - it's just a label.  Just make sure that the label is the same as the value you enter into the Authorization Tab under Radius Token Identity Services in ISE GUI.

Let's say your Radius Token Identity Service is called EXTRADIUS, then in your actual Policies, you will refer to the returned value as

EXTRADIUS:cisco-ip-pool-definition

cheers

Customers Also Viewed These Support Documents