Cisco ISE and RADIUS Class 25

ext-stedeschi · ‎11-02-2015

Hi,

I have a problem with my Cisco ISE who return the class 25 like that : "User Identity Groups:Partner_****"

When ACS only return this : "Partner_****"

So the problem is that it doesn't match my configuration on the ASA who await for something like the ACS : Partner_****

Do I have to modify my configuration for all my DAP on the ASA or can I modify the answer of the ISE to be something like the ACS.

Thanks,

Sylvain.

Shinpei Kono · ‎11-21-2015

Sylvain, let`s see the Class value defined in "Attribute setting" from "Authorization Profiles" that ISE picks up for your AnyConnect session. The string has to be exactly the same word that ASA expects and my initial assumption is you have "User Identity Groups:Partner_****" there.I don`t think you need to have your DAP configuration tweaked...

ext-stedeschi · ‎11-26-2015

Thanks for your answer.

here is my configuration in detail :

the DAP on the ASA are configured with the name of the group : "Partner_XXXX"

The ACS is configured to return the name of the group of which the user belong (class 25) : (Partner_XXXX)

Since I migrated my users on the cisco ISE, it return the class 25 with : "User_Identity_Groups:Partner_XXX"

So I had to modify all my DAP on the ASA to match with "User_Identity_Groups:Partner_XXXX"

I just wanted to know if there was a possibility to modify what the ISE return to : "Partner_XXXX" instead of "User_Identity_Groups:Partner_XXXX"

Thanks.

Shinpei Kono · ‎11-26-2015

Sylvain, noted about your DAP criteria. Could you please ensure the class is defined as "Partner_XXXX" so that ISE replies with that value and it should not contain the unwanted string like "User_Identity_Groups:"?

ext-stedeschi · ‎12-02-2015

Unfortunetly if I apply this solution, I have to create an authorization profile for each of my groups.