need help with sending group policy attribute to ASA
Rong Wang
rzwang at scu.edu
Thu Jul 11 23:39:27 CEST 2019
Thank you Alan and Douglas for your help! It works! I made a mistake
earlier so it didn't work then. All I need to do is to "update reply" with
correct format. Appreciate both of your help.
Rong
On Thu, Jul 11, 2019 at 1:52 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Jul 11, 2019, at 10:47 PM, Rong Wang <rzwang at scu.edu> wrote:
> >
> > Thank you! I tried to set attribute "ASA-Group-Policy" under "update
> > reply", ASA didn't take it.
>
> What does that mean?
>
> Does the ASA documentation say that it accepts that attribute in the
> Access-Accept packet?
>
> > I also tried to set it under "update request",
> > it also didn't work.
>
> Because you're updating the *input* packet.
>
> You can't just make random changes and hope that it magically works.
> Understanding things is the key.
>
> > I am able to create a group with group attribute, and
> > set Cisco AVpair for the group in raddb/mod-config/file/authorize, but I
> > never had the luck to make ASA-Group-Policy attribute work with ASA. Any
> > other thought?
>
> See the ASA documentation for what attributes it expects in an
> Access-Accept, and what it does with those attributes.
>
> Then, configure FreeRADIUS to send those attributes.
>
> Alan Dekok.
>
>
> -
> List info/subscribe/unsubscribe? See
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeradius.org_list_users.html&d=DwIGaQ&c=iVyFbx9TtkoGWXYs40w9MA&r=T8LuIo4m9nQ3cMihiQJb7A&m=t-pfEYbXKJcMtWKyskyB0HbRyGknE-xKWpT6WYsZ5n4&s=V0mFyTsgMSb16U1ZfTgf7ybqHiXHVHPB6RCVojwdDGI&e=
--
Rong Wang
Senior Network Engineer
Address | 500 El Camino Real, Santa Clara, CA 95053
Phone | (408)551-7107
Email | rzwang at scu.edu
Website | https://www.scu.edu/is/it
More information about the Freeradius-Users
mailing list