03-04-2011 08:38 AM - edited 03-10-2019 05:53 PM
Hi All,
I've been trying to configure group lock feature with an ACS 5.2 and a ASA. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.
In the old ACS 4.x you can enable or disable the attributes to be shown in the User or Group Settings in Interface Configuration menu, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?
Best Regards!
Marco
Solved! Go to Solution.
03-04-2011 01:07 PM
When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type
There are about 146 attribute. You can filter it by ID.
You can define a Authorization Profiles in
Policy Elements > | ... > | Authorization and Permissions > | Network Access > | Authorization Profiles |
And then use it in the access policies.
03-05-2011 11:15 AM
I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.
In ""Compound Condition", we only need use "IN" attribute.
On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.
03-04-2011 01:07 PM
When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type
There are about 146 attribute. You can filter it by ID.
You can define a Authorization Profiles in
Policy Elements > | ... > | Authorization and Permissions > | Network Access > | Authorization Profiles |
And then use it in the access policies.
03-04-2011 04:12 PM
Thank you Yudong!
I've tried your advice and it works fine, users can only log in in the specified tunnel-group, but I have a couple of questions.
Why it is not possible to select Attribute 85 (CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock) in a "Compound Condition" in Access Policies? There are just 44 possible attributes instead of the 153 attributes that are definen in the Radius Dictionary (System Administration->Configuration->Dictionaries->Protocols->Raduis)
The other situation is that even when the user is denied I do not see any failure try. Just Success, who can I look for authorization logs?
03-05-2011 11:15 AM
I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.
In ""Compound Condition", we only need use "IN" attribute.
On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.
03-07-2011 07:46 AM
Thank you Yudong.
I also was checking what kind of attributes pupulates the list of attributes avialable in Compound Condition and it seems it just use those which have BOTH as value in the Direction property. I also tried changing the value to BOTH of that property in attribute 85 and used it in a Compound Condition but it did not not work =)
It will be a kind of difficult to troubleshoot this because the ASA logs show a successful authentication and successful authorization just as the ACS does.
Any way, it works fine.
Thank you very much for your valuable time and knowledge.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: