need help with sending group policy attribute to ASA
Rong Wang
rzwang at scu.edu
Thu Jul 11 22:47:07 CEST 2019
Hi Douglas,
Thank you! I tried to set attribute "ASA-Group-Policy" under "update
reply", ASA didn't take it. I also tried to set it under "update request",
it also didn't work. I am able to create a group with group attribute, and
set Cisco AVpair for the group in raddb/mod-config/file/authorize, but I
never had the luck to make ASA-Group-Policy attribute work with ASA. Any
other thought?
Thanks,
Rong
On Thu, Jul 11, 2019 at 11:46 AM Douglas C. Stephens <stephend at ameslab.gov>
wrote:
> Rong Wang,
>
> Do you mean ASA group policy attributes?
>
> If so, I do this sort of thing by adding clauses in my
> /etc/raddb/sites-enabled/site post-auth section. I do an if(){} clause
> with an LDAP-Group check to see if the user is a member. If true, then
> I include within the "if{}" an "update reply {}" clause and set the
> attribute I want to the value I want (either fixed supported VALUEs by
> name, or arbitrary values, as appropriate).
>
> Take a look in dictionary.cisco.asa provided with, and loaded by,
> FreeRADIUS. If the attributes you want to set are in there, you can use
> them. On my CentOS-7 systems with CentOS-supplied FreeRADIUS RPMs, the
> dictionaries are in /usr/share/freeradius.
>
>
> On 7/11/2019 12:59 PM, Rong Wang wrote:
> > Hello,
> >
> > I am trying to find out the correct way to send group policy attribute to
> > Cisco ASA for remote access vpn users. I am running Freeradius version
> > 3.0.17, and Cisco ASA version 9.8.3(18). Any help is appreciated.
> >
> > Thanks,
> > Rong Wang
> >
>
> --
> Douglas C. Stephens | Network Systems Analyst
> Information Technology | Phone: (515) 294-6102
> Ames Laboratory, US DOE | Email: stephend at ameslab.gov
>
--
Rong Wang
Senior Network Engineer
Address | 500 El Camino Real, Santa Clara, CA 95053
Phone | (408)551-7107
Email | rzwang at scu.edu
Website | https://www.scu.edu/is/it
More information about the Freeradius-Users
mailing list