Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
1
Replies

Cisco ACS5.3; differentiating between WebVPN and IPSEC Radius Authentications from a ASA

neil.moore
Level 1
Level 1

‎08-15-2012 04:25 AM - edited ‎03-10-2019 07:25 PM

I am using Cisco ACS5.3 to authenticate users (using radius) for a cisco ASA firewall for both WebVPN and IPSEC client connections.  I have been able to do this successfully.  However I need to be able to deply Cisco vendor specific attributes (VSA) for both IPSEC and WebVPN sessions using authorisation profiles.   Ideally I don't want to have to combine the attributes required for both services in the same authorisation profile, as I will have to produce alot of different profiles for the different combinations.

The only way I can see that you could possibilly do this is by having service selection rules that can differentiate between WebVPN and IPSEC Radius authentication requests.  I have experimented inbound VSA's without success.  Is this possible?

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎08-15-2012 09:14 AM

Neil,

Are you clients coming in through different tunnel groups? If so, you can create a compound condition where you can map the radius attribute: CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name in the authorization policy. If it equals the TG for webvpn send back the av-pair accordingly.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents