need help with sending group policy attribute to ASA

Douglas C. Stephens stephend at
Thu Jul 11 20:46:35 CEST 2019

Rong Wang,

Do you mean ASA group policy attributes?

If so, I do this sort of thing by adding clauses in my
/etc/raddb/sites-enabled/site post-auth section.  I do an if(){} clause
with an LDAP-Group check to see if the user is a member.  If true, then
I include within the "if{}" an "update reply {}" clause and set the
attribute I want to the value I want (either fixed supported VALUEs by
name, or arbitrary values, as appropriate).

Take a look in provided with, and loaded by,
FreeRADIUS.  If the attributes you want to set are in there, you can use
them.  On my CentOS-7 systems with CentOS-supplied FreeRADIUS RPMs, the
dictionaries are in /usr/share/freeradius.

On 7/11/2019 12:59 PM, Rong Wang wrote:
> Hello,
> I am trying to find out the correct way to send group policy attribute to
> Cisco ASA for remote access vpn users. I am running Freeradius version
> 3.0.17, and Cisco ASA version 9.8.3(18). Any help is appreciated.
> Thanks,
> Rong Wang

Douglas C. Stephens		| Network Systems Analyst
Information Technology          | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephend at

More information about the Freeradius-Users mailing list