Groups and Attributes Mapping from Radius Token Server
For some types of external user databases, ACS supports the assignment of users to specific ACS groups based on the RADIUS authentication response from the external user database.
ACS provides this assignment in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping.
To provide the per-user group mapping feature in ACS 5.3, use the attribute retrieval and authorization mechanism for users that are authenticated with an external RADIUS identity store.
For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value:
ACS:CiscoSecure-Group-Id=N, where N is a value returned from the external radius server to ACS.
Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules.
You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions.
You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.
In the below screenshot, under the “Directory Attributes” of “Radius Token Servers”, we have added a “cisco-av-pair” dictionary and the AV pair name is “ACS:CiscoSecure-Group-Id”.
You can give any policy condition name which will be available as an option under the Authorization section of Access Policy.
In the below screen shot, we have used the “Policy Condition Name” defined earlier.
In this case, the value returned from Radius Identity/Token server for the attribute “ACS:CiscoSecure-Group-Id” is supposed to be “065” and based on that he will hit the desired authorization rule.
Attributes visible under ACS Monitoring Report
Other Attributes: ACSVersion=acs-188.8.131.52-B.839
Device IP Address=xx.xx.xx.xx
We need to go through the ACS logs to make sure what exact value for the "cisco-av-pair:ACS:CiscoSecure-Group-Id" being returned by the radius-token-server. The same value need to be used in the authorization rule that we have created above.
Hello I have a SMA and two WSA They are all physical appliances and in the latest version. I am trying to publish the configuration to the appliances, but I get this errorAcceptable Use Control Engine data version on the Web App...
Hi @ all, we saw a few incoming mails which used as the from Name a vip´s Name like Name@ourdomain.test ..probably phishing attacks as they had some charakteristics to.Now the question is it possible and if yes how..that the ESA is looking in the mai...
Hello,We are planning to migrate to use PEAP and EAP-TLS as authentication method.We have Root CA and several intermediate CA(first and second) all on Microsoft.We've imported Root CA and intermediate CA(first) Certificates in Trusted Certificates on ISE....
We have two ASAs working separately for working from home access. The extra pair were set up last year due to working from home pressures of covid. SBL was set up with half staff connecting to one - half to the other. However - a year later, and I n...
It's been a while since I have had to deal with an ISE Portal issue. Today was a struggle to get Android devices to not complain when trying to connect to a simple ISE Hotspot Portal. It was surprising to me that Windows and Apple iOS devices...