Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
1
Replies

DAP: How to match users authenticating via RADIUS or SDI

justizz4all
Level 1
Level 1

‎10-05-2011 06:01 AM

Hello,

I would like to have an additional DAP record for all the users authenticating via RADIUS or SDI; a kinda match-all policy for them. Wanted to use the IPSec-Authentication RADIUS attribute for it, but it was not supported by ASA (we have 5540 running 8.2(3) code). It is not possible to use Cisco group-policy or connection-profile (tunnel-group) attributes because quite a lot of group policies and tunnel groups are configured there.

Any ideas or workarounds?

Appreciate your help.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-18-2011 02:56 AM

Hi

I don't think there is a "proper" way to do this. However, if you can make your Radius server always return some kind of "dummy" attribute, you can check on that.

e.g. I noticed in my lab that ACS 4.x always returns Framed-IP-Address = 255.255.255.255 when it is not configured to assign an IP address. So in my DAP I made a rule that checks for Radius attribute 8 (framed-ip-adress) = value

4294967295 (255.255.255.255).

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents