cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1232
Views
0
Helpful
4
Replies

Enable Raduis Attributes for Group Lock

marcohernandez
Level 1
Level 1

Hi All,

I've been trying to configure group lock feature with an ACS 5.2 and a ASA. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.

In the old ACS 4.x you can enable or disable the attributes to be shown in the User or Group Settings in Interface Configuration menu, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?

Best Regards!

Marco

2 Accepted Solutions

Accepted Solutions

Yudong Wu
Level 7
Level 7

When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type

There are about 146 attribute. You can filter it by ID.

You can define a Authorization Profiles in

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles

And then use it in the access policies.

View solution in original post

I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.

In ""Compound Condition", we only need use "IN" attribute.

On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.

View solution in original post

4 Replies 4

Yudong Wu
Level 7
Level 7

When you configure Radius attributes, make sure you select "RADIUS-Ciscon VPN 3000/ASA/PIX 7.x" as Dictionary Type

There are about 146 attribute. You can filter it by ID.

You can define a Authorization Profiles in

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles

And then use it in the access policies.

Thank you Yudong!

I've tried your advice and it works fine, users can only log in in the specified tunnel-group, but I have a couple of questions.

Why it is not possible to select Attribute 85 (CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock) in a "Compound Condition" in Access Policies? There are just 44 possible attributes instead of the 153 attributes that are definen in the Radius Dictionary (System Administration->Configuration->Dictionaries->Protocols->Raduis)

The other situation is that even when the user is denied I do not see any failure try. Just Success, who can I look for authorization logs?

I think both attributes might be "OUT" attribute. ACS will only send them out but never need to process them.

In ""Compound Condition", we only need use "IN" attribute.

On ACS, user will always be authenticated successfully in this case. It is ASA to take the action based on those attributes. So, you should take a look at log/debug on ASA instead of ACS.

Thank you Yudong.

I also was checking what kind of attributes pupulates the list of attributes avialable in Compound Condition and it seems it just use those which have BOTH as value in the Direction property. I also tried changing the value to BOTH of that property in attribute 85 and used it in a Compound Condition but it did not not work =)

It will be a kind of difficult to troubleshoot this because the ASA logs show a successful authentication and successful authorization just as the ACS does.

Any way, it works fine.

Thank you very much for your valuable time and knowledge.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: