cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
655
Views
5
Helpful
1
Replies

Using only SAML can you apply a per-user ACL for AnyConnect on ASA?

Philip D'Ath
VIP Alumni
VIP Alumni

I'm using Cisco AnyConnect on ASA against Cisco Duo. SAML is being used for authentication.

 

Is there a SAML role I can push (from Duo) to apply a per-user ACL (like a RADIUS Filter-Id), instead of having to use some other authorisation option like RADIUS or Dynamic Access Policy?

1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Philip D'Ath,

As far as I know, no, this is not possible. Reason for this is that ASA can't use attributes received in token for authorization.

I'm always using SAML for atuhentication, with additional authorize-only RADIUS server (almost always ISE).

BR,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: