ASA DAP using Radius IETF-25 Class Attribute

Unanswered Question
Oct 9th, 2009

Has anyone ever got the ASA's DAP to trigger on the IETF Radius Class attribute? Am i supposed to use 25 for the class attribute, or 4121 (4096+25)? do i enter the exact string i have in the class field in ACS into the value field? For example, In ACS I have in my user group A "ou=GroupPolicy1" entered into the IETF-25 Class field.

side question, can i use multiple entries in this ACS field and will DAP parse on them all? for instance, i would like to have a super user of a group have an extra class statement that gives them rights above and beyond their peers.

thanks for any help you can provide!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hdashnau Wed, 10/14/2009 - 10:33

When you are creating the DAP, select "RADIUS" as the aaa attribute type. The "attribute ID" should be 25. The "value" will be whatever you have specified on your ACS (ie for you it would be ou=GroupPolicy1)

You can try passing multiple values and you can confirm DAP parses them in the debugs (debug dap error and debug dap trace) -- you will see lines in the debugs like "aaa.radius["25"] = xxxx" where xxx is what you have set.

You can create and match multiple DAP records if you want; if you do set it up with multiple DAP records, you can also use the above DAP debugs to confirm which DAP policies are being selected (you will see it towards the bottom of the debugs)

-heather

ben.posner Wed, 10/14/2009 - 11:39

Hi Heather,

I wasn't able to get the radius 25 attribute to work at all. I had read somewhere that you had to add 4096 to the attribute number and so i tried 4121 as well but that didn't work either. I ended up resorting to the cisco.username attribute and that works well so far.

I was trying to get multiple statements in the Class attribute to parse and using DAP make both groups access combine. turns out only the first class is read and understood as far as i can tell. so i'll have to put users into groups using the group as the basis of the security profile and use the DAP to parse the name of hte user if i need to add or subtract any other special access needs.

Ben

Actions

This Discussion