cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1301
Views
0
Helpful
4
Replies
ext-stedeschi
Beginner

Cisco ISE and RADIUS Class 25

Hi,

I have a problem with my Cisco ISE who return the class 25 like that : "User Identity Groups:Partner_****"

When ACS only return this : "Partner_****"

So the problem is that it doesn't match my configuration on the ASA who await for something like the ACS : Partner_****

Do I have to modify my configuration for all my DAP on the ASA or can I modify the answer of the ISE to be something like the ACS.

Thanks,

Sylvain.

4 REPLIES 4
Shinpei Kono
Cisco Employee

Sylvain, let`s see the Class value defined in "Attribute setting" from "Authorization Profiles" that ISE picks up for your AnyConnect session. The string has to be exactly the same word that ASA expects and my initial assumption is you have "User Identity Groups:Partner_****" there.I don`t think you need to have your DAP configuration tweaked...

Thanks for your answer.

here is my configuration in detail :

the DAP on the ASA are configured with the name of the group : "Partner_XXXX"

The ACS is configured to return the name of the group of which the user belong (class 25) : (Partner_XXXX)

Since I migrated my users on the cisco ISE, it return the class 25 with : "User_Identity_Groups:Partner_XXX"

So I had to modify all my DAP on the ASA to match with "User_Identity_Groups:Partner_XXXX"

I just wanted to know if there was a possibility to modify what the ISE return to : "Partner_XXXX" instead of "User_Identity_Groups:Partner_XXXX"

Thanks.

Sylvain, noted about your DAP criteria. Could you please ensure the class is defined as "Partner_XXXX" so that ISE replies with that value and it should not contain the unwanted string like "User_Identity_Groups:"?

Unfortunetly if I apply this solution, I have to create an authorization profile for each of my groups.

Create
Recognize Your Peers
Content for Community-Ad