Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3831
Views
5
Helpful
3
Replies

Anyconnect profile as Radius atribiute

Go to solution
zahir_zahir
Level 1
Level 1

‎11-26-2012 07:11 AM - edited ‎02-21-2020 06:30 PM

Hi.

Is it possible to send profile name as an Radius atribute during client authentication? I would like to match users depends on profile name to sperate Identity Stores in my ACS.

ASA 5540 8.4, anyconnect 3.1.01065, ACS 5.1

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9
In response to zahir_zahir

‎11-27-2012 04:55 AM

Hi Ad,

Thanks for refreshing my mind with this enhancement request, yesterday I could not find it.

Please check this out:

Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions

Symptom:Enhacement request: Implement ASA facility to send Radius VSAs (vendor Specific attributes) such as Tunnel Group and Client Type upstream to a Radius Server for VPN Remote Access policy decisions


Conditions:


Workaround:This AAA feature was implemented in ASA version 8.4.3

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA
Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

Fixed-In

8.4(3)

8.6(1.3)

9.0(1)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw31922

So you may want to give it a try in this versions.

HTH.

If you do not have any further questions please mark this post as answered.

Thanks

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

‎11-26-2012 07:51 AM

Hi Ad,

I have verified the Radius IETF and Radius Cisco, but could not find any attribute for this purpose.

You may want to open this same post on the AAA community.

HTH.

Portu.

Please rate any helpful posts

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to zahir_zahir

‎11-27-2012 04:55 AM

Hi Ad,

Thanks for refreshing my mind with this enhancement request, yesterday I could not find it.

Please check this out:

Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions

Symptom:Enhacement request: Implement ASA facility to send Radius VSAs (vendor Specific attributes) such as Tunnel Group and Client Type upstream to a Radius Server for VPN Remote Access policy decisions


Conditions:


Workaround:This AAA feature was implemented in ASA version 8.4.3

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA
Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

Fixed-In

8.4(3)

8.6(1.3)

9.0(1)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw31922

So you may want to give it a try in this versions.

HTH.

If you do not have any further questions please mark this post as answered.

Thanks

0 Helpful
Customers Also Viewed These Support Documents