Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
0
Helpful
1
Replies

How to differentiate Connection Profiles via AAA?

ROBERTO GIANA
Level 4
Level 4

‎08-04-2011 05:26 AM

Hi

Is there a way how an AAA server can differentiate through which Connection Profile a user has connected?

I'm using group URLs for publishing different VPN services and I want to know through which group URL a user has tried to authenticate on the ASA. Unfortunately the ASA doesn't provide any RADIUS attributes to the AAA server (an ACS) regarding the selected Connection Profile so that I can't make different policies and filter the access.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎08-07-2011 03:39 AM

Hi Roberto,

you're right, the ASA currently does not send this information as Radius attributes in the Access-Request. This is being worked on, cfr this enhancement request:

CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions

I don't have any details at this time as to which software version this will be included in; I suggest you track it using Bug Toolkit.

In the meantime, there might be other ways to realize what you would like to achieve.

E.g. if you want to do something like "if user JDOE connects to group FOO, allow access but if he connects to any other group then disconnect him" then you can do that in different ways, e.g. using a DAP policy, or by pushing the group-lock attribute. You could also allow access to any tunnel-group, but always push the same group-policy (or even get rid of your different tunnel-groups and only use different group-policies to differentiate between users).

If it's something else you're trying to do, please clarify.

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents