Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
1
Replies

ASA anyconnect SAML authentication and radius accounting

nuancebvdr
Level 1
Level 1

‎12-09-2020 02:51 AM

Hello all,

We recently moved the authentication of our anyconnect clients on ASA from radius ( no ISE, sorry ) to SAML. We are missing the extensive accounting information on radius. Is there any way of authenticating using SAML and still keep radius accounting?

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-10-2020 09:51 AM

I haven't tried it for accounting but I do know that with authorization we can add a separate authorization server (e..g ISE) from the authentication server (e.g. SAML). Just specify the accounting server separately in the tunnel-group (known as Connection Profile is ASDM).

 

Firewall config:

Specify server group and the host with key

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host <address>
   key *****

Specify the accounting server group under the general attributes for the tunnel group:

tunnel-group <TG-name> general-attributes
    accounting-server-group TACACS

 

(It could alternatively be a RADIUS server.)

0 Helpful
Customers Also Viewed These Support Documents