Solved: ASA VPN dont use RADIUS attribute

bondaraa.rus · ‎12-21-2021

Hi,

We have ASA5520
Cisco Adaptive Security Appliance Software Version 9.1(7)29
Device Manager Version 7.6(1)

And we use RADUIS server for AAA.

When user connecting to ASA using Anyconnect, ASA receive from RADIUS server filter-id for user:

Radius: Type = 11 (0x0B) Filter-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
 12 34 56 78 90 12 34 56 78 90 | acl-ACL

But ASA did not apply it for user with this message:

%ASA-4-113034: Group <GROUP_POLICY_NAME> User <USER> IP <IP> User ACL <acl-ACL> from AAA ignored, AV-PAIR ACL used instead.

On ASA we have ACL with exact that name - acl-ACL, but ASA ignored it.

On other ASA with same config and same RADIUS server it works fine.

Can someone help to tshoot this?

bondaraa.rus · ‎12-22-2021

I found the answer,

One of the DAP does not consist any attribute, like username = "name", so ASA use this DAP for every user.

Case closed, thx.

MHM Cisco World · ‎12-21-2021

adius-server attribute 11 direction default

check the direction of ACL and also add .out or .in if need in radius server.

bondaraa.rus · ‎12-22-2021

Hi, Thx for answer!

From RADIUS we recieve acl name(type 11) without .in or .out prefix, just acl-ACL in value field.

On ASA we have acl for example:
access-list acl-ACL extended permit ip any any

As i understand without this field in RADIUS message ASA use default acl that configured in group-policy.

But in my case ASA ignore ACL from RADIUS and default ACL and create DAP for user. I dont undestand what information ASA use to create this DAP.

What debug command i can use except debug radius?

bondaraa.rus · ‎12-22-2021

I found the answer,

One of the DAP does not consist any attribute, like username = "name", so ASA use this DAP for every user.

Case closed, thx.