Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS with Vasco


I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?

My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.

Thanks in advance for your help!


Cisco Employee

Re: ACS with Vasco

Hi Andy,

To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:

ACS:CiscoSecure-Group-Id = N

where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37

CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.

Hope this helps,


Community Member

Re: ACS with Vasco

Hi Somishra

Thats great and thanks for your help!

Don't think Vasco supports the attribute though which is a shame :-(

Thanks again!


Community Member

Re: ACS with Vasco

Hi Somishra,

I've been trying to get network authorization working with RADIUS with the ASA, so that I can assign Cisco AV-pairs ACL statements to define where users can go to using cut trhough proxy. It appears it can only use RADIUS for authentication, and you need TACACS+ (and therefore ACS) to get network authorization working. Is this correct?



CreatePlease to create content