need help with sending group policy attribute to ASA
Douglas C. Stephens
stephend at ameslab.gov
Thu Jul 11 20:46:35 CEST 2019
Rong Wang,
Do you mean ASA group policy attributes?
If so, I do this sort of thing by adding clauses in my
/etc/raddb/sites-enabled/site post-auth section. I do an if(){} clause
with an LDAP-Group check to see if the user is a member. If true, then
I include within the "if{}" an "update reply {}" clause and set the
attribute I want to the value I want (either fixed supported VALUEs by
name, or arbitrary values, as appropriate).
Take a look in dictionary.cisco.asa provided with, and loaded by,
FreeRADIUS. If the attributes you want to set are in there, you can use
them. On my CentOS-7 systems with CentOS-supplied FreeRADIUS RPMs, the
dictionaries are in /usr/share/freeradius.
On 7/11/2019 12:59 PM, Rong Wang wrote:
> Hello,
>
> I am trying to find out the correct way to send group policy attribute to
> Cisco ASA for remote access vpn users. I am running Freeradius version
> 3.0.17, and Cisco ASA version 9.8.3(18). Any help is appreciated.
>
> Thanks,
> Rong Wang
>
--
Douglas C. Stephens | Network Systems Analyst
Information Technology | Phone: (515) 294-6102
Ames Laboratory, US DOE | Email: stephend at ameslab.gov
More information about the Freeradius-Users
mailing list