Hi all,

I'm setting up an Anyconnect VPN lab for certificate based authentication+authorization. Per all the documentation, the ASA should authenticate the cert, and send an authorize only radius message to ISE that will respond with an authorisation response. In order to do this I have to configure the radius server group on the ASA to be 'authorize-only' That command should be present according to all the documentation: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html.

(config-aaa-server-group)# authorize-only

Problem is that command is missing from my ASA:

ciscoasa(config)# aaa-server ISE-PSNs protocol radius
ciscoasa(config-aaa-server-group)# ?

AAA server configuration commands:
  accounting-mode            Enter this keyword to specify accounting mode
  ad-agent-mode              Enter this keyword to specify ad-agent mode
  exit                       Exit from aaa-server group configuration mode
  help                       Help for AAA server configuration commands
  interim-accounting-update  Enter this keyword to enable Interim accounting
                             update
  max-failed-attempts        Specify the maximum number of failures that will
                             be allowed for any server in the group before that
                             server is deactivated
  merge-dacl                 Specify whether a downloadable ACL received from
                             RADIUS should be combined with a Cisco AV-Pair ACL
  no                         Remove an item from aaa-server group configuration
  reactivation-mode          Specify the method by which failed servers are
                             reactivated
ciscoasa(config-aaa-server-group)#

Any ideas?

thanks all!