AnyConnect Auth using RADIUS

netrob · ‎06-17-2021

Hi All,

I currently have my ASA configured to authenticate against a RADIUS server for remote access VPN. The RADIUS server is setting the 'Class' attribute with a list of the users groups and I'd like to configure dynamic access policies using this information. I know normally, when using LDAP, you can use 'ldap.memberOf' to get group info but I'm not sure how to get the groups from the 'Class' attribute and if the ASA will be able to get the specific group out of the list of group DN's. Unfortunately, because of the industry, I can't post configs; I'm hoping there's someone else out there who's also using RADIUS instead of ldap for auth and knows how to grab info from RADIUS attributes.

TIA

Rob Ingram · ‎06-17-2021

@netrob

If you are using RADIUS to authenticate and authorise the users, just create multiple authorisation rules on the RADIUS server. Each rule would match a different user group, which in turn would return a different class attribute. The ASA would then receive this attribute value and apply the setting. The ASA doesn't need to know the actual groups.

netrob · ‎06-17-2021

Hi and thanks for the super quick response. The problem is that we already have a ton of dynamic access policies created, each policy pushes a dynamic acl and is currently matched using 'ldap.memberOf'. We have to migrate from ldap to radius because our two-factor authentication vendor says this is how their product can be used with Cisco VPN, so being a TFA product and not a pure RADIUS server, its functionality is limited but it is able to pass the groups to the ASA via the Class attribute. I'm not sure how to get the ASA to parse this attribute and find the group I need.

Thanks

Rob Ingram · ‎06-17-2021

I am not sure the radius server is going to send the group information to the ASA. Perhaps use secondary authentication. Leave the primary as LDAP and use your 2FA radius as the secondary authentication server.