Freeradius + Cisco Anyconnect group policy

Pico Aeterna flippedootninja at
Wed Oct 12 20:05:22 CEST 2016

reeradius + Cisco Anyconnect group policy

I recently just deployed a freeradius server to authenticate our Cisco
Anyconnect VPN users against pam/google's OTP.   My configs are in place
and everything is working fine however recently we've taken on a few
contractors that I would like to restrict to a specific
tunnel-group/split-tunnel.  I dont mind creating SSH accounts for them just
as long as they have the correct split-tunnel/group policy assigned.
Currently my test user can log into both tunnel-groups.

Currently in users.conf my auth default type is

"DEFAULT        Auth-Type := PAM"

Can this be done via /etc/group + pam or do I need to add these users to
users.conf and then apply the attributes "ASA-Group-Policy" and
"ASA-IPsec-Split-Tunnel-List" to them?  Should I see the
policy/tunnel-group name being sent from my ASA to my radius server?  This
is currently what I see via raddb -XXX when I connect using either

Received Accounting-Request Id 174 from x.x.x.x:1026 to x.x.x.x:1813 length
User-Name = 'username'
NAS-Port = 122380288
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = x.x.x.x
Called-Station-Id = 'x.x.x.x'
Calling-Station-Id = 'x.x.x.x'
Acct-Status-Type = Start
Acct-Delay-Time = 2
Acct-Session-Id = 'B5F00188'
Acct-Authentic = RADIUS
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = 'x.x.x.x'
NAS-IP-Address = x.x.x.x

Does anyone currently have this implemented or a sample config I can
review, or am I going about it in the wrong way?

radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built
on Mar  5 2015 at 23:41:36

More information about the Freeradius-Users mailing list