Showing results for 
Search instead for 
Did you mean: 

Cisco ASA Radius Map for 2F Authentication

Hi Cisco Experts,

I know there is a way to configure Ldap map for getting authentication ans authorization to specified groups only. Is there any way to configure the same for 2F authentication.

Let me brief you here my requirement.

I have configured 2 Remote Access VPNs(RAVPN1G and RAVPN2G) using RSA-2F authentication. Now there are 2 user-groups in RSA ( USER1G and USER2G). Now both user groups are able to login to both groups. We want to restrict in such a way so that USER1G should be able to login to RAVPN1G only but not to other one and vice versa. We can do it in RSA but is there any to define the same in ASA.

Please advise.

VIP Advocate

Is the ASA talking to the RSA

Is the ASA talking to the RSA server using Radius or SDI protocol?

If it is Radius, then you can use the Tunnel-Group-Lock feature along with Radius class attribute to lock an AD user to a particular tunnel-group.

How it works:

User1G will have Radius class attribute (25) set to "OU=GroupPolicy1" on AD

User2G will have Radius class attribute (25) set to "OU=GroupPolicy2" on AD

GroupPolicy1 will have group-lock set to RAVPN1G and GroupPolicy2 will have RAVPN2G.

When User1 connects, they will receive the Group policy as GroupPolicy1 - which only allows them to connect via RAVPN1G. Similar for User2.


Hi Rahul,

Hi Rahul,

Thanks for response but

1.> Users are not configured locally but it takes from Radius.(ASA is talking to RSA server using Radius)

2.>"OU=GroupPolicy1" on AD ( How AD is required here)

3.>Can you please give CLI configuration for class attribute (25) set to "OU=GroupPolicy1" on AD

VIP Advocate

1) If Radius is the protocol

1) If Radius is the protocol and RSA is using internally defined users (on the RSA server itself), then the server should reply back with Radius attribute 25 (Class) set to value as "OU=GroupPolicy1). There is no Cisco documentation on the RSA server part that I could find, but searching through RSA's docs, I was able to find information on setting Radius user attributes on RSA server here:

2) If AD was being used as identity store for users, the Radius attribute would be set on the Domain controller for the users. IF you are not using AD, then the RADIUS attribute has to be returned by RSA server.

3) For AD settings, please refer to the below guide:

The ASA does not require any configuration to map Class to Group-Policy, this is done automatically.


Re: 1) If Radius is the protocol

Hi Rahul,

can you help with following configuration.

currently ASA and AD integration is done and group policies are mapped to AD user group.


ldap attribute-map ANYCONNECT

  map-name  memberOf Group-Policy

  map-value memberOf "CN=CP-Users,OU=VPN-Access,OU=Corp-Users,DC=cisco,DC=org" CP-USERS-GP


now AD is replaced with Microsoft MFA and need to have similar kind of mapping. but i am not able to find relevant mapping under radius server.


(config-aaa-server-host)# ?

AAA server configuration commands:
  accounting-port       Specify the port number to be used for accounting
  acl-netmask-convert   Specify the ACL Downloadable Netmask Operation
  authentication-port   Specify the port number to be used for authentication
  exit                  Exit from aaa-server host configuration mode
  group-search-timeout  Specify the maximum time to wait for response from
                        configured server when using the 'show ad-groups'
  help                  Help for AAA server configuration commands
  key                   Specify the secret used to authenticate the NAS to the
                        AAA server
  mschapv2-capable      Enter this keyword to indicate that the server supports
                        MSChap V2 requests
  no                    Remove an item from aaa-server host configuration
  proxy-auth_map        Specify proxy auth protocol table type
  radius-common-pw      Specify a common password for all RADIUS authorization
  retry-interval        Specify the amount of time between retry attempts
  timeout               Specify the maximum time to wait for response from
                        configured server


how to get user group ( MFA - attribute 25 abstract from AD ) to match vpn group policy?




VIP Advocate

Re: 1) If Radius is the protocol

This mapping is automatically done by the ASA for Radius without any config required. All you need to do is set the Class attribute (Radius 25) through NPS extension for MFA. The ASA will map this attribute to the group-policy. 


NPS extension with Azure MFA is here:


ASA NPS integration is here:




Re: 1) If Radius is the protocol

Perhaps some old topic, but almost same situation:


1) Cisco ASA

2) NPS as Radius

3) Two RA VPN profiles/groups (for example VPN1group, VPN2group) with different access rights and different VPN profiles (P1 and P2)

4) Users: us1, us2, us3, us4, us5

How to make us5 the member of both groups at the same time?

The goal is to allow user us5 to have both vpn profiles and to use corresponding profile based of access required.


Best regards.