cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
0
Helpful
2
Replies

vManage and Radius authentication - netadmin group

EminaBrkanic
Level 1
Level 1

Hello,

I am setting windows NPS for vmanage authentication. Configuration is simple and user are authenticated with radius, but they are placed in Basic group. how do I specify netadmin group on radius?

 

regards

 

1 Accepted Solution

Accepted Solutions

You can configure NPS to send certain radius attributes back depending on the AD group the user authenticating is in.

According to this guide you should send the viptela VSA(41916) "Viptela-Group-Name" attribute back with the "netadmin" string:

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/215349-radius-and-tacacs-based-user-authenticat.html

But this guide, says you should send VSA Cisco "SD-WAN-Group-Name" attribute.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/user-access-authentication.html

So I guess it depends on the version you're running, but you either have to send Viptela-Group-Name: netadmin or SD-WAN-Group-Name: netadmin back as an authorization result.

Now it's been a while since I worked with NPS, but if you search for a guide on custom attributes or vendor-specific-attributes you should be able to find a resource that explains the config on NPS side.

View solution in original post

2 Replies 2

You can configure NPS to send certain radius attributes back depending on the AD group the user authenticating is in.

According to this guide you should send the viptela VSA(41916) "Viptela-Group-Name" attribute back with the "netadmin" string:

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/215349-radius-and-tacacs-based-user-authenticat.html

But this guide, says you should send VSA Cisco "SD-WAN-Group-Name" attribute.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/user-access-authentication.html

So I guess it depends on the version you're running, but you either have to send Viptela-Group-Name: netadmin or SD-WAN-Group-Name: netadmin back as an authorization result.

Now it's been a while since I worked with NPS, but if you search for a guide on custom attributes or vendor-specific-attributes you should be able to find a resource that explains the config on NPS side.

EminaBrkanic
Level 1
Level 1

Hello,

I did as you suggested, but it didn't work. I open tac case for this and finally solved it. On NPS you need to specify vendor-specific-attributes like on the picture. 

Review Cisco Networking for a $25 gift card