Freeradius + Cisco Anyconnect group policy

Alan DeKok aland at
Wed Oct 12 22:45:01 CEST 2016

On Oct 12, 2016, at 2:05 PM, Pico Aeterna <flippedootninja at> wrote:
> I recently just deployed a freeradius server to authenticate our Cisco
> Anyconnect VPN users against pam/google's OTP.   My configs are in place
> and everything is working fine however recently we've taken on a few
> contractors that I would like to restrict to a specific
> tunnel-group/split-tunnel.  I dont mind creating SSH accounts for them just
> as long as they have the correct split-tunnel/group policy assigned.
> Currently my test user can log into both tunnel-groups.
> Currently in users.conf my auth default type is
> "DEFAULT        Auth-Type := PAM"

  We don't recommend using PAM.  If you need it for OTP, fine.  But a native FreeRADIUS implementation is usually better.

> Can this be done via /etc/group + pam or do I need to add these users to
> users.conf and then apply the attributes "ASA-Group-Policy" and
> "ASA-IPsec-Split-Tunnel-List" to them?

  If you need to send RADIUS attributes, those attributes should be configured on the RADIUS server.  You can't configure them in PAM.

>  Should I see the
> policy/tunnel-group name being sent from my ASA to my radius server?

  I have no idea what that means.  Perhaps you could be a bit more specific.

>  This
> is currently what I see via raddb -XXX when I connect using either
> tunnel-group.

  That's an accounting packet.  Not an Access-Request packet.  If you're debugging authentication, it helps to look at Access-Request packets.

> Does anyone currently have this implemented or a sample config I can
> review, or am I going about it in the wrong way?

  Post the FULL DEBUG LOG as suggested in the FAQ, "man" pages, web pages, and daily on this list.

  Alan DeKok.

More information about the Freeradius-Users mailing list