Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
4
Replies

Use radius to assign another specific group-policy for Anyconnect5

tryingtofixit
Level 1
Level 1

‎02-19-2025 11:09 AM

Is it possible using Radius (with Active Directory groups) and vendor codes to assign a group-policy of unlimited-vpn to the same connection profile? 

I know it's possible to assign anyconnect dhcp pools based off AD group and vendor code. 

I have two connection profiles one for vendors, one for internal. We recently went to 12hrs connect time, but need to have an "unlimited vpn connection" for those special cases.  Thought it might be possible to tweak something in the NPS/radius server vendor codes and such to achieve this.

what I don't want is having multiple connection profile choices show up when someone connects.  if are a member of "unlimited-vpn" there is no time limit.  member of "vpn users" you get 12hours. 

Using Certs is not an option, we already use certs for both connection profiles as part of the 2 factor. 

thanks

 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-19-2025 11:32 AM - edited ‎02-19-2025 11:38 AM

@tryingtofixit yes. use IETF Radius Class = <Group policy name> or <OU=group policy name>" - that should work on any RADIUS, i.e. Windows NPS. You reference the group-policy that already exists on the ASA.

You could also look to just push out the timeout directly from the RADIUS server using the attribute "IETF-Radius-Idle-Timeout"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.pdf

 

 

 

0 Helpful

tryingtofixit
Level 1
Level 1
In response to Rob Ingram

‎02-19-2025 11:40 AM

Thank for the reply. using NPS 2022.  So if using IETF Radius Class = <Group policy name> or <OU=group policy name>, does mean that if using Group policy name (asa) my asa group-policy name would need to match that in my Active Directory  "vpn-unlimited"?

Or can I have a different AD Group name that gets matched to my ASA gpolicy 

Thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to tryingtofixit

‎02-19-2025 11:45 AM

@tryingtofixit you don't need to match anything in AD. The group-policy name you define in the RADIUS server should exist on the ASA.

ISE example should hopefully make it clearer.

RobIngram_0-1739994248606.png

 

0 Helpful

tryingtofixit
Level 1
Level 1
In response to Rob Ingram

‎02-19-2025 01:36 PM

thank, I can't seem to find where to put the IEFT code in microsoft nps 2022. 

0 Helpful
Customers Also Viewed These Support Documents