Lab Minutes Forum

Technical Discussion => Security => Topic started by: rthurber on August 18, 2013, 01:38:35 PM

Title: ASA AnyConnect Tunnel Policy Selection for ISE Radius
Post by: rthurber on August 18, 2013, 01:38:35 PM
I'm trying to figure out how to provide unique tunnel policies based on Active Directory groups. I have ASA pointing AnyConnect VPN users to ISE for Radius. In Radius, Authentication is working fine. And I have a Authorization Policy that allows users of a AD group to gain access, but I need to have 2 or moth authorization policies that allow access based on groups. Those Authorizations would then be assigned to unique tunnel policies on the ASA.
Title: Re: ASA AnyConnect Tunnel Policy Selection for ISE Radius
Post by: cisco on August 18, 2013, 01:47:21 PM
If I understand your question, I think you need to set a Radius attribute (Class 25) under the individual rules Authorization profile. To do this you'll need to do a couple of things:
- Create a custom Radius Diction for Class 25
- Create a new Authorization Profile (similar to "PermitAccess" but in additional to permit, you will also set the AnyConnect users VPN tunnel policy via the "OU=TunnelPolicyName" attribute

Let me know if you have any questions. And by the way....

YOUUURRR~~ WELCOME!! j/k
Title: Re: ASA AnyConnect Tunnel Policy Selection for ISE Radius
Post by: MC on August 18, 2013, 05:59:34 PM
You are not allowed to view links. Register or Login
If I understand your question, I think you need to set a Radius attribute (Class 25) under the individual rules Authorization profile. To do this you'll need to do a couple of things:
- Create a custom Radius Diction for Class 25
- Create a new Authorization Profile (similar to "PermitAccess" but in additional to permit, you will also set the AnyConnect users VPN tunnel policy via the "OU=TunnelPolicyName" attribute

Let me know if you have any questions. And by the way....

YOUUURRR~~ WELCOME!! j/k

Thanks for the solution