ACS with Vasco

Unanswered Question
Nov 14th, 2007


I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?

My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.

Thanks in advance for your help!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
somishra Thu, 11/15/2007 - 00:22

Hi Andy,

To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:

ACS:CiscoSecure-Group-Id = N

where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37

CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.

Hope this helps,


andrew100 Thu, 11/15/2007 - 02:31

Hi Somishra

Thats great and thanks for your help!

Don't think Vasco supports the attribute though which is a shame :-(

Thanks again!


kirkpad01 Sat, 12/01/2007 - 00:16

Hi Somishra,

I've been trying to get network authorization working with RADIUS with the ASA, so that I can assign Cisco AV-pairs ACL statements to define where users can go to using cut trhough proxy. It appears it can only use RADIUS for authentication, and you need TACACS+ (and therefore ACS) to get network authorization working. Is this correct?




This Discussion