Groups and Attributes Mapping from Radius Token Server
For some types of external user databases, ACS supports the assignment of users to specific ACS groups based on the RADIUS authentication response from the external user database.
ACS provides this assignment in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping.
To provide the per-user group mapping feature in ACS 5.3, use the attribute retrieval and authorization mechanism for users that are authenticated with an external RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value:
ACS:CiscoSecure-Group-Id=N, where N is a value returned from the external radius server to ACS.
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules.
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions.
You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
In the below screenshot, under the “Directory Attributes” of “Radius Token Servers”, we have added a “cisco-av-pair” dictionary and the AV pair name is “ACS:CiscoSecure-Group-Id”.
You can give any policy condition name which will be available as an option under the Authorization section of Access Policy.
In the below screen shot, we have used the “Policy Condition Name” defined earlier.
In this case, the value returned from Radius Identity/Token server for the attribute “ACS:CiscoSecure-Group-Id” is supposed to be “065” and based on that he will hit the desired authorization rule.
Attributes visible under ACS Monitoring Report
Other Attributes: ACSVersion=acs-18.104.22.168-B.839
Device IP Address=xx.xx.xx.xx
We need to go through the ACS logs to make sure what exact value for the "cisco-av-pair:ACS:CiscoSecure-Group-Id" being returned by the radius-token-server. The same value need to be used in the authorization rule that we have created above.
Hi All, Is there a way to show the IPSec Site-to-Site VPN logs from Cisco ASA using ASDM? I created a IPSec VPN using Cisco ASA but the VPN tunnel is not UP, i want to see the logs via ASDM indicating why the VPN tunnel is not established, canno...
Working on a situation where behind my ASA is a 10.0.0.0/24 network that also happens to be the LAN segment for a home user that needs to connect over vpn. They can connect w/o any issues, but when they do they lose access to their home printer whic...
Join us live on Tuesday, July 16 at 10 am PT to learn how integration and automation are the key to successful security designs. We’ll answer questions about Threat Response and also do a quick demo of our browser plugin and our latest integration wi...
Hello, I need to add QOS to the VPN between 2 Locations that are working under a Site-to-Site VPN, both of them have Cisco ASA. VPN is established. I need to add the highest priority to the following connections:SQL Data ConnectionsRDP Data Conn...
We upgraded a pair of ISR4451 routers over the weekend to 16.6.6. They each have a port-channel connection to the core switch. When the routers came up after being rebooted they were not part of the port-channel. The channel-...