Hi
in Radius there is no possibility to retrieve user attributes without providing a password.
So the only way the ASA can do authorization is to do a "fake" authentication request with a dummy password.
By default, this dummy password is the same as the username.
So, if you configure the user on ACS to have a password equal to his username, this should work.
Alternatively you can configure the ASA to always send the same password (for all users). So obviously in that case you need to configure all users on ACS to have the same password.
e.g.
aaa-server MyRadius (inside) host x.x.x.x
radius-common-pw MyPass123
If this is not possible, you can:
-use LDAP authorization (my ACS knowledge is a bit outdated but I don't think it can act as LDAP server though)
or
- configure the ASA to do cert + password authentication (and optionally, pre-fill the username from the cert)
or
- ask in the AAA forum to see if the ACS experts have any other ideas
hth
Herbert