Hi all,
I'm setting up an Anyconnect VPN lab for certificate based authentication+authorization. Per all the documentation, the ASA should authenticate the cert, and send an authorize only radius message to ISE that will respond with an authorisation response. In order to do this I have to configure the radius server group on the ASA to be 'authorize-only' That command should be present according to all the documentation: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html.
(config-aaa-server-group)# authorize-only
Problem is that command is missing from my ASA:
ciscoasa(config)# aaa-server ISE-PSNs protocol radius
ciscoasa(config-aaa-server-group)# ?
AAA server configuration commands:
accounting-mode Enter this keyword to specify accounting mode
ad-agent-mode Enter this keyword to specify ad-agent mode
exit Exit from aaa-server group configuration mode
help Help for AAA server configuration commands
interim-accounting-update Enter this keyword to enable Interim accounting
update
max-failed-attempts Specify the maximum number of failures that will
be allowed for any server in the group before that
server is deactivated
merge-dacl Specify whether a downloadable ACL received from
RADIUS should be combined with a Cisco AV-Pair ACL
no Remove an item from aaa-server group configuration
reactivation-mode Specify the method by which failed servers are
reactivated
ciscoasa(config-aaa-server-group)#
Any ideas?
thanks all!