Assign Group Membership attribute to DAP for Radius logins via SSL VPN

dino.mumfrey · ‎05-15-2012

Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. Any help or suggestions? I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax? I am stuck and need help.

Thanks,

Dino

Herbert Baerten · ‎05-25-2012

Hi Dino,

when using Radius, the value of the IETF Class attribute (IETF #25) is interpreted by the ASA as the name of a group-policy.

See e.g.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

In the example in that document, the syntax used is OU=Grouppolicyname, but the "OU=" is optional, you can just as well enter the name by itself.

If you need help mapping the AD group(s) to the radius Class attribute in ACS, I'm afraid I can't help you with that but you can ask in the forum.

Alternatively, you could have all users share the same group-policy, but have ACS push the name of the bookmark list to use, I don't know the attribute name by heart but if you scroll through the list of ASA attributes on ACS it should be fairly obvious (let me know if not )

BTW - there is an alternative to using a Radius "proxy" to solve the multi-domain issue. If you configure a GCS (Global Catalog Server) in your AD forest, the ASA can authenticate users in all the domains the GCS knows about. Downside to this is that the GCS does not support password change.

hth

Herbert