Groups and Attributes Mapping from Radius Token Server
For some types of external user databases, ACS supports the assignment of users to specific ACS groups based on the RADIUS authentication response from the external user database.
ACS provides this assignment in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping.
To provide the per-user group mapping feature in ACS 5.3, use the attribute retrieval and authorization mechanism for users that are authenticated with an external RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value:
ACS:CiscoSecure-Group-Id=N, where N is a value returned from the external radius server to ACS.
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules.
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions.
You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
In the below screenshot, under the “Directory Attributes” of “Radius Token Servers”, we have added a “cisco-av-pair” dictionary and the AV pair name is “ACS:CiscoSecure-Group-Id”.
You can give any policy condition name which will be available as an option under the Authorization section of Access Policy.
In the below screen shot, we have used the “Policy Condition Name” defined earlier.
In this case, the value returned from Radius Identity/Token server for the attribute “ACS:CiscoSecure-Group-Id” is supposed to be “065” and based on that he will hit the desired authorization rule.
Attributes visible under ACS Monitoring Report
Other Attributes: ACSVersion=acs-22.214.171.124-B.839
Device IP Address=xx.xx.xx.xx
We need to go through the ACS logs to make sure what exact value for the "cisco-av-pair:ACS:CiscoSecure-Group-Id" being returned by the radius-token-server. The same value need to be used in the authorization rule that we have created above.
Hi All, I've searched but to no avail. A client has requested the ability for staff to be notified of a DLP alert on outgoing emails, hold the email and then allow the sender to review and release the email (outgoing). Is this possible and If so how?...
Couldn't find this anywhere, so made it myself, its a group that excludes all RFC1918 addressing and contains all other IPv4 addresses. It includes RFC3330 but I don't think that will concern most people. object-group network INTERNETnetwork-ob...
Is there a best practice around handling Cisco FlexConnect APs and their switchport configuration when doing profiling? Flex APs require commands relating to trunking and native VLAN etc. - which is different to the usual port template ...
Hello, Is there any keepalive mechanism between the switch and ISE. I need to know if there is a way which can enable the switch to know if ISE server is online and available at any particular time.The idea is that lets suppose we try to authenticate...
Hello Experts, I want to utilize existing hardware for Stealthwatch Enterprise deployment. We have UCS 5108 with B200 M5 Servers. I am following below link for the Virtual Server sizing: https://www.cisco.com/c/dam/en/us/td/docs/security/stealth...