Has anyone ever got the ASA's DAP to trigger on the IETF Radius Class attribute? Am i supposed to use 25 for the class attribute, or 4121 (4096+25)? do i enter the exact string i have in the class field in ACS into the value field? For example, In ACS I have in my user group A "ou=GroupPolicy1" entered into the IETF-25 Class field.
side question, can i use multiple entries in this ACS field and will DAP parse on them all? for instance, i would like to have a super user of a group have an extra class statement that gives them rights above and beyond their peers.
When you are creating the DAP, select "RADIUS" as the aaa attribute type. The "attribute ID" should be 25. The "value" will be whatever you have specified on your ACS (ie for you it would be ou=GroupPolicy1)
You can try passing multiple values and you can confirm DAP parses them in the debugs (debug dap error and debug dap trace) -- you will see lines in the debugs like "aaa.radius["25"] = xxxx" where xxx is what you have set.
You can create and match multiple DAP records if you want; if you do set it up with multiple DAP records, you can also use the above DAP debugs to confirm which DAP policies are being selected (you will see it towards the bottom of the debugs)
I wasn't able to get the radius 25 attribute to work at all. I had read somewhere that you had to add 4096 to the attribute number and so i tried 4121 as well but that didn't work either. I ended up resorting to the cisco.username attribute and that works well so far.
I was trying to get multiple statements in the Class attribute to parse and using DAP make both groups access combine. turns out only the first class is read and understood as far as i can tell. so i'll have to put users into groups using the group as the basis of the security profile and use the DAP to parse the name of hte user if i need to add or subtract any other special access needs.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...