Groups and Attributes Mapping from Radius Token Server
For some types of external user databases, ACS supports the assignment of users to specific ACS groups based on the RADIUS authentication response from the external user database.
ACS provides this assignment in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping.
To provide the per-user group mapping feature in ACS 5.3, use the attribute retrieval and authorization mechanism for users that are authenticated with an external RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value:
ACS:CiscoSecure-Group-Id=N, where N is a value returned from the external radius server to ACS.
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules.
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions.
You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
In the below screenshot, under the “Directory Attributes” of “Radius Token Servers”, we have added a “cisco-av-pair” dictionary and the AV pair name is “ACS:CiscoSecure-Group-Id”.
You can give any policy condition name which will be available as an option under the Authorization section of Access Policy.
In the below screen shot, we have used the “Policy Condition Name” defined earlier.
In this case, the value returned from Radius Identity/Token server for the attribute “ACS:CiscoSecure-Group-Id” is supposed to be “065” and based on that he will hit the desired authorization rule.
Attributes visible under ACS Monitoring Report
Other Attributes: ACSVersion=acs-184.108.40.206-B.839
Device IP Address=xx.xx.xx.xx
We need to go through the ACS logs to make sure what exact value for the "cisco-av-pair:ACS:CiscoSecure-Group-Id" being returned by the radius-token-server. The same value need to be used in the authorization rule that we have created above.
hi,i can't seem to install anyconnect 4.7 on a spare windows 7 machine.i already uninstall anyconnect 3.1 and restarted PC.after the EULA i got this message prompt. see attached photo.once i clicked OK a few times, i got a prompt that installation was com...
Hi Everyone, I just read that Google Gsuite expose also an LDAPS connection, I would like to know if anyone had a chance to test it and eventually if it allows to retrieve Google identity attributes (groups, etc) with Cisco ISE. I am considering...
Is it possible to quarantine mails based on the threat category? I can see in the message details an entry "Threat Category: Phishing" and in the SMA I can search for them in the Sender Domain Reputation report also in the message tracking , but how ...
I have searched Cisco and online for docs showing the syntex for natting multiple hosts via command line. I can do it via ASDM, but want to know how to do it via CLI so the running-config does not show "DM_inline" making the configs look more complicated....
When performing Wireless EAP-TLS using machine certs on ISE, if you are not requiring CRL check does the ISE server, WLAN Controller or wireless client need network communication to the Certificate Authority? The CA is an internal CA and not accessible fr...