Hi Rahul,

Thanks for response but

1.> Users are not configured locally but it takes from Radius.(ASA is talking to RSA server using Radius)

2.>"OU=GroupPolicy1" on AD ( How AD is required here)

3.>Can you please give CLI configuration for class attribute (25) set to "OU=GroupPolicy1" on AD

1) If Radius is the protocol and RSA is using internally defined users (on the RSA server itself), then the server should reply back with Radius attribute 25 (Class) set to value as "OU=GroupPolicy1). There is no Cisco documentation on the RSA server part that I could find, but searching through RSA's docs, I was able to find information on setting Radius user attributes on RSA server here:

https://community.rsa.com/docs/DOC-59536

2) If AD was being used as identity store for users, the Radius attribute would be set on the Domain controller for the users. IF you are not using AD, then the RADIUS attribute has to be returned by RSA server.

3) For AD settings, please refer to the below guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html#anc9

The ASA does not require any configuration to map Class to Group-Policy, this is done automatically.

Hi Rahul,

can you help with following configuration.

currently ASA and AD integration is done and group policies are mapped to AD user group.

eg

ldap attribute-map ANYCONNECT

  map-name  memberOf Group-Policy

  map-value memberOf "CN=CP-Users,OU=VPN-Access,OU=Corp-Users,DC=cisco,DC=org" CP-USERS-GP

now AD is replaced with Microsoft MFA and need to have similar kind of mapping. but i am not able to find relevant mapping under radius server.

(config-aaa-server-host)# ?

AAA server configuration commands:
  accounting-port       Specify the port number to be used for accounting
  acl-netmask-convert   Specify the ACL Downloadable Netmask Operation
  authentication-port   Specify the port number to be used for authentication
  exit                  Exit from aaa-server host configuration mode
  group-search-timeout  Specify the maximum time to wait for response from
                        configured server when using the 'show ad-groups'
                        command
  help                  Help for AAA server configuration commands
  key                   Specify the secret used to authenticate the NAS to the
                        AAA server
  mschapv2-capable      Enter this keyword to indicate that the server supports
                        MSChap V2 requests
  no                    Remove an item from aaa-server host configuration
  proxy-auth_map        Specify proxy auth protocol table type
  radius-common-pw      Specify a common password for all RADIUS authorization
                        transactions
  retry-interval        Specify the amount of time between retry attempts
  timeout               Specify the maximum time to wait for response from
                        configured server

how to get user group ( MFA - attribute 25 abstract from AD ) to match vpn group policy?

Thanks

Maduranga

This mapping is automatically done by the ASA for Radius without any config required. All you need to do is set the Class attribute (Radius 25) through NPS extension for MFA. The ASA will map this attribute to the group-policy. 

NPS extension with Azure MFA is here:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

ASA NPS integration is here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

Perhaps some old topic, but almost same situation:

1) Cisco ASA

2) NPS as Radius

3) Two RA VPN profiles/groups (for example VPN1group, VPN2group) with different access rights and different VPN profiles (P1 and P2)

4) Users: us1, us2, us3, us4, us5

How to make us5 the member of both groups at the same time?

The goal is to allow user us5 to have both vpn profiles and to use corresponding profile based of access required.

Best regards.