need help with sending group policy attribute to ASA

Rong Wang rzwang at
Thu Jul 11 22:47:07 CEST 2019

Hi Douglas,

Thank you! I tried to set attribute "ASA-Group-Policy" under "update
reply", ASA didn't take it. I also tried to set it under "update request",
it also didn't work. I am able to create a group with group attribute, and
set Cisco AVpair for the group in raddb/mod-config/file/authorize, but I
never had the luck to make ASA-Group-Policy attribute work with ASA. Any
other thought?


On Thu, Jul 11, 2019 at 11:46 AM Douglas C. Stephens <stephend at>

> Rong Wang,
> Do you mean ASA group policy attributes?
> If so, I do this sort of thing by adding clauses in my
> /etc/raddb/sites-enabled/site post-auth section.  I do an if(){} clause
> with an LDAP-Group check to see if the user is a member.  If true, then
> I include within the "if{}" an "update reply {}" clause and set the
> attribute I want to the value I want (either fixed supported VALUEs by
> name, or arbitrary values, as appropriate).
> Take a look in provided with, and loaded by,
> FreeRADIUS.  If the attributes you want to set are in there, you can use
> them.  On my CentOS-7 systems with CentOS-supplied FreeRADIUS RPMs, the
> dictionaries are in /usr/share/freeradius.
> On 7/11/2019 12:59 PM, Rong Wang wrote:
> > Hello,
> >
> > I am trying to find out the correct way to send group policy attribute to
> > Cisco ASA for remote access vpn users. I am running Freeradius version
> > 3.0.17, and Cisco ASA version 9.8.3(18). Any help is appreciated.
> >
> > Thanks,
> > Rong Wang
> >
> --
> Douglas C. Stephens             | Network Systems Analyst
> Information Technology          | Phone: (515) 294-6102
> Ames Laboratory, US DOE         | Email: stephend at


Rong Wang

Senior Network Engineer

Address | 500 El Camino Real, Santa Clara, CA 95053

Phone |  (408)551-7107

Email | rzwang at

Website |

More information about the Freeradius-Users mailing list